CVE-2016-10033

9.8 CRITICAL CISA KEV - Actively Exploited

Published: December 30, 2016 Modified: October 22, 2025

Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

http://seclists.org/fulldisclosure/2016/Dec/78

Source: cve@mitre.org

Mailing List Patch Third Party Advisory

http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection

Source: cve@mitre.org

Exploit Third Party Advisory

http://www.securityfocus.com/archive/1/539963/100/0/threaded

Source: cve@mitre.org

Broken Link Third Party Advisory VDB Entry

http://www.securityfocus.com/bid/95108

Source: cve@mitre.org

Broken Link Exploit Third Party Advisory VDB Entry

http://www.securitytracker.com/id/1037533

Source: cve@mitre.org

Broken Link Third Party Advisory VDB Entry

https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html

Source: cve@mitre.org

Third Party Advisory

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18

Source: cve@mitre.org

Patch Vendor Advisory

https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

Source: cve@mitre.org

Patch Vendor Advisory

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Source: cve@mitre.org

Exploit Patch Third Party Advisory

https://www.drupal.org/psa-2016-004

Source: cve@mitre.org

Third Party Advisory

https://www.exploit-db.com/exploits/40968/

Source: cve@mitre.org

Exploit Patch Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/40969/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/40970/

Source: cve@mitre.org

Exploit Patch Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/40974/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/40986/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/41962/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/41996/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/42024/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://www.exploit-db.com/exploits/42221/

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html