zetacomponents/mail is vulnerable to remote code execution (RCE) attacks. The attacks can be launched using a malicious email address (for example: -X/path/to/wwwroot/file.php
) since the application does not restrict the set of characters used in ezcMail returnPath property.