{"id":"CVE-2016-4803","details":"CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.","modified":"2026-04-10T03:52:24.654943Z","published":"2016-06-30T17:59:06.797Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/91529"},{"type":"ADVISORY","url":"https://dotcms.com/docs/latest/change-log#release-3.3.2"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2016/May/69"},{"type":"EVIDENCE","url":"https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dotcms/core","events":[{"introduced":"0"},{"last_affected":"55f3f10337ebebf74c22ac82a411c4af276c6b09"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.3.1"}]}}],"versions":["3.0","3.2","3.2.1","3.3","3.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4803.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}