I’ve just reported this security issue by email.
I noticed today that PHPMailer has had some security updates to address CVE-2018-19296. I can see this information by looking at the github releases page of PHPMailer.
MODX, to my knowledge uses PHPMailer 5.2.26, however, since then:
5.2.27 and 6.0.6 was released in Nov 2018 to address CVE-2018-19296.
The entire 5.2 branch has been deprecated as of 31 Dec 2018.
In the meantime, can you advise if it’s possible to disable PHPMailer 5.2.26 which is bundled with MODX? Is it possible to have MODX use an alternative mail library instead of modMail / PHPMailer 5.2.x?