← Back to CVEs
CVE-2016-10033
CRITICALCISA KEV9.8
Description
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published12/30/2016
Last Modified10/22/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorPHP
ProductPHPMailer
Vulnerability NamePHPMailer Command Injection Vulnerability
KEV Date Added2025-07-07
Remediation Due Date2025-07-28
Ransomware UseUnknown
Affected Products
joomla:joomla\!phpmailer_project:phpmailerwordpress:wordpress
Weaknesses (CWE)
CWE-88CWE-88
References
http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html(cve@mitre.org)
http://seclists.org/fulldisclosure/2016/Dec/78(cve@mitre.org)
http://www.securityfocus.com/archive/1/539963/100/0/threaded(cve@mitre.org)
http://www.securityfocus.com/bid/95108(cve@mitre.org)
http://www.securitytracker.com/id/1037533(cve@mitre.org)
https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html(cve@mitre.org)
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18(cve@mitre.org)
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities(cve@mitre.org)
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html(cve@mitre.org)
https://www.drupal.org/psa-2016-004(cve@mitre.org)
https://www.exploit-db.com/exploits/40968/(cve@mitre.org)
https://www.exploit-db.com/exploits/40969/(cve@mitre.org)
https://www.exploit-db.com/exploits/40970/(cve@mitre.org)
https://www.exploit-db.com/exploits/40974/(cve@mitre.org)
https://www.exploit-db.com/exploits/40986/(cve@mitre.org)
https://www.exploit-db.com/exploits/41962/(cve@mitre.org)
https://www.exploit-db.com/exploits/41996/(cve@mitre.org)
https://www.exploit-db.com/exploits/42024/(cve@mitre.org)
https://www.exploit-db.com/exploits/42221/(cve@mitre.org)
http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2016/Dec/78(af854a3a-2127-422b-91ae-364da2661108)
http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/539963/100/0/threaded(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/95108(af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1037533(af854a3a-2127-422b-91ae-364da2661108)
https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities(af854a3a-2127-422b-91ae-364da2661108)
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/psa-2016-004(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40968/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40969/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40970/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40974/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40986/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/41962/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/41996/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/42024/(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/42221/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.