From 405f12e438c92afa9c0d84632b15d21488beeb3e Mon Sep 17 00:00:00 2001
From: Henri Cook <henri.cook@linklaters.com>
Date: Wed, 11 Feb 2026 16:00:50 +0000
Subject: [PATCH] [EMAIL] Fix CVE-2025-7962: Bump com.sun.mail:jakarta.mail
 from 1.6.7 to 1.6.8

Version 1.6.7 is vulnerable to CVE-2025-7962, an SMTP injection flaw
allowing attackers to inject arbitrary SMTP commands via \r\n
characters in UTF-8 encoded input.

The fix in 1.6.8 adds input validation in SMTPTransport.sendCommand()
via a private validateCommand() method. No public API changes - binary
compatible with 1.6.7.
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 4c284f589..84e2b05a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -239,7 +239,7 @@
         <dependency>
             <groupId>com.sun.mail</groupId>
             <artifactId>jakarta.mail</artifactId>
-            <version>1.6.7</version>
+            <version>1.6.8</version>
         </dependency>
         <dependency>
           <groupId>org.junit.jupiter</groupId>