phpmailer/phpmailer is vulnerable to object injection attacks. The vulnerability exists due to the lack of validation on file paths to ensure if it is a permitted type, allowing object injection attacks.
github.com/PHPMailer/PHPMailer/commit/8e653bb79643abad30ae60b1aad6966c0810b896
github.com/PHPMailer/PHPMailer/compare/4874af66d45ec901b47a4c40504ed76116ba6415...f1231a9771505f4f34da060390d82eadb8448271
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27
github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6
lists.debian.org/debian-lts-announce/2018/12/msg00020.html
lists.fedoraproject.org/archives/list/[email protected]/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
lists.fedoraproject.org/archives/list/[email protected]/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
www.debian.org/security/2018/dsa-4351