Back to search
CVE-2016-10033
Published: Dec 30, 2016
Modified: Oct 21, 2025
PUBLISHED
Description
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://www.drupal.org/psa-2016-004
x_refsource_CONFIRM
42221
exploit
x_refsource_EXPLOIT-DB
40969
exploit
x_refsource_EXPLOIT-DB
41962
exploit
x_refsource_EXPLOIT-DB
40968
exploit
x_refsource_EXPLOIT-DB
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
x_refsource_CONFIRM
20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]
mailing-list
x_refsource_BUGTRAQ
40974
exploit
x_refsource_EXPLOIT-DB
40986
exploit
x_refsource_EXPLOIT-DB
40970
exploit
x_refsource_EXPLOIT-DB
41996
exploit
x_refsource_EXPLOIT-DB
20161227 PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
mailing-list
x_refsource_FULLDISC
95108
vdb-entry
x_refsource_BID
1037533
vdb-entry
x_refsource_SECTRACK
42024
exploit
x_refsource_EXPLOIT-DB
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now