PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27
github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6
lists.debian.org/debian-lts-announce/2018/12/msg00020.html
lists.fedoraproject.org/archives/list/[email protected]/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
lists.fedoraproject.org/archives/list/[email protected]/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
www.debian.org/security/2018/dsa-4351