diff --git a/javamail-CVE-2025-7962.patch b/javamail-CVE-2025-7962.patch
new file mode 100644
index 0000000..16a9b1a
--- /dev/null
+++ b/javamail-CVE-2025-7962.patch
@@ -0,0 +1,29 @@
+--- javamail-JAVAMAIL-1_6_2/mail/src/main/java/com/sun/mail/smtp/SMTPTransport.java	2025-07-23 08:57:23.698768098 +0200
++++ javamail-JAVAMAIL-1_6_2/mail/src/main/java/com/sun/mail/smtp/SMTPTransport.java	2025-07-23 08:57:44.109600841 +0200
+@@ -2408,14 +2408,25 @@
+ 	    //logger.fine("SENT: " + new String(cmdBytes, 0));
+ 
+         try {
++	    validateCommand(cmdBytes);
+ 	    serverOutput.write(cmdBytes);
+ 	    serverOutput.write(CRLF);
+ 	    serverOutput.flush();
+-	} catch (IOException ex) {
++	} catch (IOException | RuntimeException ex) {
+ 	    throw new MessagingException("Can't send command to SMTP host", ex);
+ 	}
+     }
+ 
++    private void validateCommand(byte[] cmdBytes) throws MessagingException {
++        final byte CR = '\r';
++        final byte LF = '\n';
++        for (byte b : cmdBytes) {
++            if (b == LF || b == CR) {
++                throw new IllegalArgumentException("Command contains illegal character: " + String.format("0x%02x",b));
++            }
++        }
++    }
++
+     /**
+      * Reads server reponse returning the <code>returnCode</code>
+      * as the number.  Returns -1 on failure. Sets
diff --git a/javamail.changes b/javamail.changes
index b65e128..922afe4 100644
--- a/javamail.changes
+++ b/javamail.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jul 23 07:01:17 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * javamail-CVE-2025-7962.patch
+    + backport of upstream fix for bsc#1246873, CVE-2025-7962:
+      improper neutralization of \r and \n UTF-8 characters can
+      lead to SMTP injection
+
 -------------------------------------------------------------------
 Wed Oct  2 15:48:59 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/javamail.spec b/javamail.spec
index dd06e8c..18fe8f6 100644
--- a/javamail.spec
+++ b/javamail.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package javamail
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,6 +26,7 @@ Group:          Development/Libraries/Java
 URL:            https://www.oracle.com/technetwork/java/javamail
 Source:         https://github.com/javaee/javamail/archive/%{git_tag}.tar.gz
 Patch0:         %{name}-javadoc.patch
+Patch1:         %{name}-CVE-2025-7962.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  glassfish-activation-api
@@ -51,6 +52,7 @@ Group:          Documentation/HTML
 %prep
 %setup -q -n %{name}-%{git_tag}
 %patch -P 0 -p1
+%patch -P 1 -p1
 
 add_dep() {
     %pom_xpath_inject pom:project "<dependencies/>" ${2}