cbcvebase.
CVE-2016-10033
published 2016-12-30

CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-28
Exploited in the wild
EPSS
99.71%
100.0th percentile
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianlibphp-phpmailer< libphp-phpmailer 5.2.14+dfsg-2.1 (bookworm)libphp-phpmailer 5.2.14+dfsg-2.1 (bookworm)
debianlibphp-phpmailer
drupalphpmailer_3rd_party_library
joomlajoomla_!1.5.0 – 3.6.5
phpmailerphpmailer>= 5.0.0 < 5.2.185.2.18
phpmailerphpmailer>= 5.0.0 < 5.2.205.2.20
phpmailer_projectphpmailer< 5.2.185.2.18
phpmailer_projectphpmailer< 5.2.205.2.20
wordpresswordpress<= 4.7

Detection & IOCsextracted from sources · hover to see the quote

filenameclass.phpmailer.php
  • Fortinet IPS signature for CVE-2016-10033 PHPMailer RCE detection
  • Fortinet IPS signature PHP.App.Email.Arguments.Parsing.Remote.Code.Execution also covers this vulnerability
  • Detect crafted Sender/From email addresses containing backslash-doublequote sequences (e.g. \") used to inject extra sendmail arguments
  • Monitor for unexpected new PHP files created in the web root directory following PHPMailer form submissions, as the attack writes a PHP webshell via sendmail log redirection

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.