PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
Note: The CVE details states that 5.2.23 is vulnerable while the references say that all versions prior to 5.2.23 are vulnerable. Please look this over.
The reported problem is in an example, and not in the PHPMailer code. I don't see any upstream activity at all regarding this CVE (did anyone report it...?), so I presume the problem still exists.
As a quick workaround, I just dropped that vulnerable example from our ebuild.