PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar
Deserialization via addAttachment with a UNC pathname. NOTE: this is similar
to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in
which UNC pathnames were always considered unreadable by PHPMailer, even in
safe contexts. As an unintended side effect, this fix eliminated the code
that blocked addAttachment exploitation.