Vulnerability in N/a
CVE-2016-10033
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sende…
EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html (x_refsource_MISC)
- www.drupal.org/psa-2016-004 (x_refsource_CONFIRM)
- 42221 (exploit, x_refsource_EXPLOIT-DB)
- 40969 (exploit, x_refsource_EXPLOIT-DB)
- 41962 (exploit, x_refsource_EXPLOIT-DB)
- 40968 (exploit, x_refsource_EXPLOIT-DB)
- legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-V… (x_refsource_MISC)
- github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18 (x_refsource_CONFIRM)
- 20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033] (mailing-list, x_refsource_BUGTRAQ)
- github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045… (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2016-10033?
- CVE-2016-10033 is a vulnerability in N/a. Published 2016-12-30.
- Is CVE-2016-10033 known to be exploited?
- Yes. CVE-2016-10033 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-07-07), indicating it is being actively exploited. 226 public proof-of-concept repositories are indexed.