This new post on the Sanisoft blog has some good news for CakePHP developers concerning the bundled email component - it now can be made header injection safe.
In Cheesecake 1.x we had used our home grown component for sending emails. Having learned our lessons from the headaches of Pixelpost team due to email header injection attacks in their comment mailing code we had taken precautions to make our code safe from such attacks.
They proposed an update to the CakePHP functionality to integrate this solution on a more permanent basis.