CVE-2016-10033
CRITICAL9.8⚠ KEVEPSS 94.4%libphp-phpmailer - security update
Published: 3/5/2020Modified: 5/27/2026Added to CISA KEV: 7/7/2025
Description
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Affected packages (6)
- Alpine/php5-phpmailerfrom 0, < 5.2.0-r1
- Alpine/php-phpmailerfrom 0, < 5.2.4-r0
- Debian/libphp-phpmailerfrom 0, < 5.2.14+dfsg-2.1
- Debian/libphp-phpmailerfrom 0, < 5.1-1.2
- Debian/libphp-phpmailerfrom 0, < 5.2.9+dfsg-2+deb8u2
- Packagist/phpmailer/phpmailer>= 5.0.0, < 5.2.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
References (25)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10033
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2016-10033
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-10033
- PATCHhttps://github.com/PHPMailer/PHPMailer
- WEBhttp://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html
- WEBhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
- WEBhttps://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html
- WEBhttp://seclists.org/fulldisclosure/2016/Dec/78
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2016-10033.yaml
- WEBhttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
- WEBhttps://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-5f37-gxvh-23v6
- WEBhttps://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
- WEBhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033
- WEBhttps://www.drupal.org/psa-2016-004
- WEBhttps://www.exploit-db.com/exploits/40968
- WEBhttps://www.exploit-db.com/exploits/40969
- WEBhttps://www.exploit-db.com/exploits/40970
- WEBhttps://www.exploit-db.com/exploits/40974
- WEBhttps://www.exploit-db.com/exploits/40986
- WEBhttps://www.exploit-db.com/exploits/41962
- WEBhttps://www.exploit-db.com/exploits/41996
- WEBhttps://www.exploit-db.com/exploits/42024
- WEBhttps://www.exploit-db.com/exploits/42221
- WEBhttp://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection