The CakePHP core team is happy to announce the immediate availability of CakePHP
3.6.15. This release contains a security related fix for CVE-2019-11458. The vulnerability affects applications that open serialized content from user input. When doing so the SmtpTransport can be used to overwrite any file the webserver has write access to. We'd like to thank Edgaras Janušauskas for notifying us of this issue and confirming the fix.