All Versions
Latest Version
Avg Release Cycle
48 days
Latest Release
361 days ago

Changelog History
Page 2

  • v6.5.0 Changes

    June 16, 2021
    • ๐Ÿ”’ SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See []( for details.
    • The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in them will not be run, including operations such as concatenation using the . operator.
    • ๐Ÿ—„ Deprecation The current translation file format using PHP arrays is now deprecated; the next major version will introduce a new format.
    • ๐Ÿ”’ SECURITY Fixes CVE-2021-3603 that may permit untrusted code to be run from an address validator. See []( for details.
    • The fix for this issue includes a minor BC break: callables injected into validateAddress, or indirectly through the $validator class property, may no longer be simple strings. If you want to inject your own validator, provide a closure instead of a function name.
    • Haraka message ID strings are now recognised
  • v6.4.1 Changes

    April 29, 2021
    • ๐Ÿ”’ SECURITY Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see for details
    • Reject more file paths that look like URLs, matching RFC3986 spec, blocking URLS using schemes such as ssh2
    • Ensure method signature consistency in doCallback calls
    • โšก๏ธ Ukrainian language update
    • โž• Add composer scripts for checking coding standards and running tests
  • v6.4.0 Changes

    March 31, 2021
    • โช Revert change that made the mail() and sendmail transports set the envelope sender if one isn't explicitly provided, as it causes problems described in
    • ๐Ÿ“œ Check for mbstring extension before decoding addresss in parseAddress
    • โž• Add Serbian Latin translation (sr_latn)
    • Enrol PHPMailer in Tidelift
  • v6.3.0 Changes

    February 19, 2021
    • ๐Ÿ– Handle early connection errors such as 421 during connection and EHLO states
    • Switch to Github Actions for CI
    • Generate debug output for mail(), sendmail, and qmail transports. Enable using the same mechanism as for SMTP: set SMTPDebug > 0
    • ๐Ÿ”ง Make the mail() and sendmail transports set the envelope sender the same way as SMTP does, i.e. use whatever From is set to, only falling back to the sendmail_from php.ini setting if From is unset. This avoids errors from the mail() function if Sender is not set explicitly and php.ini is not configured. This is a minor functionality change, so bumps the minor version number.
    • โœ… Extend parseAddresses to decode encoded names, improve tests
  • v6.2.0 Changes

    November 25, 2020

    ๐Ÿš€ This is a maintenance release. With this release, PHPMailer gains official PHP 8 compatibility; earlier versions worked in PHP 8 pre-releases, but the test suite did not. The considerable rework this required (which also restored tests running on older PHP versions) was done by @jrfnl โ€“ thank you very much!

    • PHP 8.0 compatibility
    • Switch from PHP CS Fixer to PHP CodeSniffer for coding standards
    • Create class constants for the debug levels in the POP3 class
    • ๐Ÿ‘Œ Improve French, Slovenian, and Ukrainian translations
    • ๐Ÿ‘Œ Improve file upload examples so file extensions are retained
    • ๐Ÿ›  Resolve PHP 8 line break issues due to a very old PHP bug being fixed
    • โš  Avoid warnings when using old openssl functions
    • ๐Ÿ‘Œ Improve Travis-CI build configuration
  • v6.1.8 Changes

    October 09, 2020

    ๐Ÿš€ This is a maintenance release.

    • Mark ext-hash as required in composer.json. This has long been required, but now it will cause an error at install time rather than runtime, making it easier to diagnose
    • ๐Ÿ‘‰ Make file upload examples safer
    • โšก๏ธ Update links to SMTP testing servers
    • Avoid errors when set_time_limit is disabled (you need better hosting!)
    • ๐Ÿ‘ Allow overriding auth settings for local tests; makes it easy to run tests using HELO
    • Recover gracefully from errors during keepalive sessions
    • โž• Add AVIF MIME type mapping
    • Prevent duplicate To headers in BCC-only messages when using mail()
    • ๐Ÿ Avoid file function problems when attaching files from Windows UNC paths
    • ๐Ÿ‘Œ Improve German, Bahasa Indonesian, Filipino translations
    • โž• Add Javascript-based example
    • โœ… Increased test coverage
  • v6.1.7 Changes

    July 14, 2020

    PHPMailer 6.1.7

    ๐Ÿš€ This is a maintenance release.

    • Split SMTP connection into two separate methods
    • Undo BC break in PHP vesions 5.2.3 - 7.0.0 introduced in 6.1.2 when injecting callables for address validation and HTML to text conversion
    • ๐Ÿ’พ Save response to SMTP welcome banner as other responses are saved
    • ๐Ÿšฆ Retry stream_select if interrupted by a signal
  • v6.1.6 Changes

    May 27, 2020

    PHPMailer 6.1.6

    ๐Ÿš€ This is a security release, with some other minor changes. For full details, refer to the advisory.

    • ๐Ÿ”’ SECURITY Fix insufficient output escaping bug in file attachment names. CVE-2020-13625. Reported by Elar Lang of Clarified Security.
    • Correct Armenian ISO language code from am to hy, add mapping for fallback
    • โฑ Use correct timeout property in debug output
  • v6.1.5 Changes

    March 14, 2020

    ๐Ÿš€ This is a maintenance release.

    • Reject invalid custom headers that are empty or contain breaks
    • ๐Ÿ›  Various fixes for DKIM issues, especially when using mail() transport
    • ๐Ÿ”’ Drop the l= length tag from DKIM signatures; it's a mild security risk
    • Ensure CRLF is used explicitly when needed, rather than static::$LE
    • โž• Add a method for trimming header content consistently
    • Some minor tweaks to resolve static analyser complaints
    • Check that attachment files are readable both when adding and when sending
    • โ†ช Work around Outlook bug in mishandling MIME preamble
    • ๐ŸŒ Danish translation improvements
  • v6.1.4 Changes

    December 10, 2019

    The RFC2047 folding added in 6.1.0 was a little overenthusiastic; It will now only happen when header lines exceed 998 chars.

    • Clean up hostname handling
    • Avoid IDN error on older PHP versions, prep for PHP 8.0
    • Don't force RFC2047 folding unnecessarily
    • ๐Ÿš€ Enable tests on full release of PHP 7.4