⚠ Actively exploited
Added to CISA KEV on 2025-07-07. Federal agencies required to patch by 2025-07-28. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2016-10033Argument Injection in Project Phpmailer

CWE-88Argument InjectionCWE-77Command Injection57 documents19 sources
Severity
9.8CRITICALNVD
EPSS
94.5%
top < 0.01%
CISA KEV
KEV
Added 2025-07-07
Due 2025-07-28
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Phpmailer Project PhpmailerPhpmailerJoomla !+1 more
Timeline
PublishedDec 30
KEV addedJul 7
KEV dueJul 28
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Packagistphpmailer/phpmailer5.0.05.2.18+1
NVDjoomla/joomla_!1.5.03.6.5

Patches

Patch: seclists.orgPatch: github.comPatch: github.com

🔴Vulnerability Details

11
OSV
libphp-phpmailer vulnerability2023-03-15
OSV
libphp-phpmailer vulnerabilities2023-03-15
OSV
Remote code execution in PHPMailer2020-03-05
OSV
Remote code execution in PHPMailer2020-03-05
GHSA
Remote code execution in PHPMailer2020-03-05

💥Exploits & PoCs

13
Exploit-DB
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution2017-06-21
Exploit-DB
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)2017-05-17
Exploit-DB
Vanilla Forums < 2.3 - Remote Code Execution2017-05-11
Exploit-DB
WordPress Core 4.6 - Remote Code Execution2017-05-03
Exploit-DB
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution2017-01-02

🔍Detection Rules

3
Suricata
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M32017-05-05
Suricata
ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M22017-05-05
Suricata
ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt2016-12-27

📋Vendor Advisories

6
CISA
PHPMailer Command Injection Vulnerability2025-07-07
Ubuntu
PHPMailer vulnerabilities2023-03-15
Ubuntu
PHPMailer vulnerability2023-03-15
Drupal
PHPmailer 3rd party library - PSA-2016-0042016-12-26
Debian
CVE-2016-10045: libphp-phpmailer - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to ...2016

🕵️Threat Intelligence

6
Fortinet
Incomplete Patch: Another Joomla! Core XSS Vulnerability Is Discovered2018-05-25
Fortinet
PHPMailer Powered – Use It, But Also Remember to Update It2017-02-16
Fortinet
Analysis of PHPMailer Remote Code Execution Vulnerability (CVE-2016-10033)2017-01-05
Fortinet
Joomla – From Nowhere to High Privilege2016-10-27
Fortinet
Analysis of PHP&#39;s CVE-2016-6289 and CVE-2016-62972016-08-10

📐Framework References

1
CWE
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

📄Research Papers

2
arXiv
XGV-BERT: Leveraging Contextualized Language Model and Graph Neural Network for Efficient Software Vulnerability Detection2023-09-26
arXiv
Lic-Sec: an enhanced AppArmor Docker security profile generator2020-09-24

💬Community

13
HackerOne
RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`2017-04-26
Bugzilla
CVE-2016-10045 phpmailer: Parameter injection via mail() function2017-01-11
Bugzilla
CVE-2016-10033 mantis: phpmailer: Parameter injection via mail() function [epel-5]2017-01-02
Bugzilla
CVE-2016-10033 phpmailer: Parameter injection via mail() function2017-01-02
Bugzilla
CVE-2016-10033 wordpress: phpmailer: Parameter injection via mail() function [epel-all]2017-01-02