The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
History

Mon, 07 Jul 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2025-07-07'}


Mon, 07 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-12-30T19:00:00.000Z

Updated: 2025-07-07T22:20:24.083Z

Reserved: 2016-12-22T00:00:00.000Z

Link: CVE-2016-10033

cve-icon Vulnrichment

Updated: 2024-08-06T03:07:32.161Z

cve-icon NVD

Status : Deferred

Published: 2016-12-30T19:59:00.137

Modified: 2025-07-08T01:00:02.203

Link: CVE-2016-10033

cve-icon Redhat

No data.