Search

Find a vulnerability

Search criteria

    2 vulnerabilities by swoosh

    CVE-2026-54893 (GCVE-0-2026-54893)

    Vulnerability from nvd – Published: 2026-07-06 14:04 – Updated: 2026-07-06 15:36
    VLAI
    Title
    Email-derived URL path injection in the Swoosh Microsoft Graph adapter
    Summary
    URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    swoosh swoosh Affected: 1.12.0 , < 1.26.3 (semver)
        cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*
    Create a notification for this product.
    swoosh swoosh Affected: 23bfcdab71aee4613858ba6d116bb3311b72aa58 , < e38235453e81d1727bfc8d91e69ec4cb211ccf61 (git)
        cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Po Chen Jonatan Männchen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54893",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T15:36:04.140981Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T15:36:16.097Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
              ],
              "packageName": "swoosh",
              "packageURL": "pkg:hex/swoosh",
              "product": "swoosh",
              "programFiles": [
                "lib/swoosh/adapters/ms_graph.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
                },
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
                }
              ],
              "repo": "https://github.com/swoosh/swoosh",
              "vendor": "swoosh",
              "versions": [
                {
                  "lessThan": "1.26.3",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
              ],
              "packageName": "swoosh/swoosh",
              "packageURL": "pkg:github/swoosh/swoosh",
              "product": "swoosh",
              "programFiles": [
                "lib/swoosh/adapters/ms_graph.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
                },
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
                }
              ],
              "repo": "https://github.com/swoosh/swoosh",
              "vendor": "swoosh",
              "versions": [
                {
                  "lessThan": "e38235453e81d1727bfc8d91e69ec4cb211ccf61",
                  "status": "affected",
                  "version": "23bfcdab71aee4613858ba6d116bb3311b72aa58",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis vulnerability only affects applications that use \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e and derive the email \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e"
                }
              ],
              "value": "This vulnerability only affects applications that use Swoosh.Adapters.MsGraph and derive the email \"from\" address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \"from\" address are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.26.3",
                      "versionStartIncluding": "1.12.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Po Chen"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eURL path injection in the Microsoft Graph adapter of Swoosh. \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (\u003ctt\u003e/users/{from}/sendMail\u003c/tt\u003e) without percent-encoding or validation.\u003c/p\u003e\u003cp\u003eIn applications that derive the \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, or \u003ctt\u003e#\u003c/tt\u003e in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated \u003ctt\u003ePOST\u003c/tt\u003e is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e\u003cp\u003eThis issue affects swoosh from 1.12.0 before 1.26.3.\u003c/p\u003e"
                }
              ],
              "value": "URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.\n\nIn applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted from address are not affected.\n\nThis issue affects swoosh from 1.12.0 before 1.26.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T14:04:16.486Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54893.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54893"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Email-derived URL path injection in the Swoosh Microsoft Graph adapter",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, \u003ctt\u003e#\u003c/tt\u003e, and \u003ctt\u003e..\u003c/tt\u003e) before passing the email to the adapter. Alternatively, set a static \u003ctt\u003e:url\u003c/tt\u003e in the adapter configuration, which bypasses interpolation of the \u003ctt\u003efrom\u003c/tt\u003e address into the request path.\u003c/p\u003e"
                }
              ],
              "value": "Validate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular /, ?, #, and ..) before passing the email to the adapter. Alternatively, set a static :url in the adapter configuration, which bypasses interpolation of the from address into the request path."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54893",
        "datePublished": "2026-07-06T14:04:16.486Z",
        "dateReserved": "2026-06-16T10:47:13.915Z",
        "dateUpdated": "2026-07-06T15:36:16.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54893 (GCVE-0-2026-54893)

    Vulnerability from cvelistv5 – Published: 2026-07-06 14:04 – Updated: 2026-07-06 15:36
    VLAI
    Title
    Email-derived URL path injection in the Swoosh Microsoft Graph adapter
    Summary
    URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    swoosh swoosh Affected: 1.12.0 , < 1.26.3 (semver)
        cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*
    Create a notification for this product.
    swoosh swoosh Affected: 23bfcdab71aee4613858ba6d116bb3311b72aa58 , < e38235453e81d1727bfc8d91e69ec4cb211ccf61 (git)
        cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Po Chen Jonatan Männchen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54893",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T15:36:04.140981Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T15:36:16.097Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
              ],
              "packageName": "swoosh",
              "packageURL": "pkg:hex/swoosh",
              "product": "swoosh",
              "programFiles": [
                "lib/swoosh/adapters/ms_graph.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
                },
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
                }
              ],
              "repo": "https://github.com/swoosh/swoosh",
              "vendor": "swoosh",
              "versions": [
                {
                  "lessThan": "1.26.3",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
              ],
              "packageName": "swoosh/swoosh",
              "packageURL": "pkg:github/swoosh/swoosh",
              "product": "swoosh",
              "programFiles": [
                "lib/swoosh/adapters/ms_graph.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
                },
                {
                  "name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
                }
              ],
              "repo": "https://github.com/swoosh/swoosh",
              "vendor": "swoosh",
              "versions": [
                {
                  "lessThan": "e38235453e81d1727bfc8d91e69ec4cb211ccf61",
                  "status": "affected",
                  "version": "23bfcdab71aee4613858ba6d116bb3311b72aa58",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis vulnerability only affects applications that use \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e and derive the email \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e"
                }
              ],
              "value": "This vulnerability only affects applications that use Swoosh.Adapters.MsGraph and derive the email \"from\" address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \"from\" address are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.26.3",
                      "versionStartIncluding": "1.12.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Po Chen"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eURL path injection in the Microsoft Graph adapter of Swoosh. \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (\u003ctt\u003e/users/{from}/sendMail\u003c/tt\u003e) without percent-encoding or validation.\u003c/p\u003e\u003cp\u003eIn applications that derive the \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, or \u003ctt\u003e#\u003c/tt\u003e in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated \u003ctt\u003ePOST\u003c/tt\u003e is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e\u003cp\u003eThis issue affects swoosh from 1.12.0 before 1.26.3.\u003c/p\u003e"
                }
              ],
              "value": "URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.\n\nIn applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted from address are not affected.\n\nThis issue affects swoosh from 1.12.0 before 1.26.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T14:04:16.486Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54893.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54893"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Email-derived URL path injection in the Swoosh Microsoft Graph adapter",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, \u003ctt\u003e#\u003c/tt\u003e, and \u003ctt\u003e..\u003c/tt\u003e) before passing the email to the adapter. Alternatively, set a static \u003ctt\u003e:url\u003c/tt\u003e in the adapter configuration, which bypasses interpolation of the \u003ctt\u003efrom\u003c/tt\u003e address into the request path.\u003c/p\u003e"
                }
              ],
              "value": "Validate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular /, ?, #, and ..) before passing the email to the adapter. Alternatively, set a static :url in the adapter configuration, which bypasses interpolation of the from address into the request path."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54893",
        "datePublished": "2026-07-06T14:04:16.486Z",
        "dateReserved": "2026-06-16T10:47:13.915Z",
        "dateUpdated": "2026-07-06T15:36:16.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }