Depending on how your application creates the actual RAW email request, it may be possible to insert line feeds to modify the recipients, CC, BCC etc.
Check out this example:
In this context, the target is to be able to send anonymous emails to
other recipients. There are numerous additional fields that can be
specified in the mail headers (see [ RFC 822 ]). For example 'Cc'
(Carbon Copy), which sends a copy of the message to the email
addresses given as arguments. A better choice is to use the 'Bcc'
(Blind Carbon Copy) which sends a carbon copy of the message just like
with the 'Cc' header, except that the recipiends email addresses given
as arguments are not shown to the multiple recipients' headers. As
specified in the [ RFC 822 ], one must add a line feed for every
header. The (line feed) char has a hexadecimal value of 0x0A.
Sender: "sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx"
Subject: ahem
Message: "My Message"
will result in
To: recipient@victim.xxx
Subject: ahem
From: sender@anonymous.xxx
Cc:recipient@someothersite.xxx
Bcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx
My Message...
Also, check out some OWASP Guidance, and some examples under CWE-93.