Security Bulletin for 25 June 2026: CRLF Injection in the Laravel Framework and a Critical Account Takeover in the Kirki WordPress Plugin

This is our daily security overview, in which we review the newly published vulnerabilities and pick out the ones that genuinely matter for running WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 25 June 2026 we single out two vulnerabilities that affect different layers of the typical hosting stack: one in the Laravel PHP framework and one in the Kirki WordPress plugin.

CVE-2026-48019 — CRLF Injection in the Email Validation of the Laravel Framework (high)

A CRLF injection has been discovered in all versions up to and including 13.9.0 as well as all versions before 12.60.0 of the widely used PHP framework Laravel, which forms the foundation of countless web applications. The flaw originates in the default validation rule for email addresses and arises because the carriage-return and line-feed control characters (CR and LF) contained in a user-supplied email address are not sufficiently neutralised before the address is passed on to the underlying Symfony Mailer and Symfony Mime components. Because these characters act as structural delimiters in email headers, an attacker who submits an address such as [email protected] followed by an injected \r\nBcc: entry can smuggle in additional recipients, alter headers or manipulate message content — all without any login and without any action on the victim’s part. Applications that process and then send user-supplied addresses from registrations, password resets or contact forms are particularly affected. The GitHub Security Advisory rates the flaw at a CVSS score of 8.9, which is high, and assigns it to weakness class CWE-93. A fix is available in versions 12.60.0 and 13.10.0, to which operators should update promptly.

Sources: GitHub Security Advisory GHSA-5vg9-5847-vvmq · Debian Security Tracker — CVE-2026-48019

CVE-2026-8206 — Unauthenticated Account Takeover in the Kirki WordPress Plugin (critical)

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a critical privilege-escalation vulnerability in versions 6.0.0 up to and including 6.0.6 that allows unauthenticated attackers to fully take over other accounts, up to and including the administrator. The cause is a flawed check during the password reset: the responsible endpoint accepts an attacker-chosen email address instead of using the address registered for the account, so that the reset link generated for any arbitrary user account can be sent to the attacker’s own address. Whoever receives that link can set a new password for the target account and then log in with its privileges. The National Vulnerability Database rates the vulnerability at a CVSS score of 9.8, classifies it as critical and assigns it to weakness class CWE-269. Orca Security additionally reports, citing Wordfence, that first attack attempts have already been blocked — around 59 within 24 hours — which further underlines the urgency; the automated assessment by the National Vulnerability Database, by contrast, does not yet list active exploitation at the time of this publication. Operators should update the plugin to version 6.0.7 or newer without delay.

Sources: National Vulnerability Database — CVE-2026-8206 · Orca Security — Kirki CVE-2026-8206

Not sure whether you’re affected? Get in touch.

---

This bulletin is provided for security awareness. The official notices from the respective vendors and the sources linked above always take precedence.