Critical severity9.8CISA KEVNVD Advisory· Published Dec 30, 2016· Updated Apr 21, 2026

CVE-2016-10033

Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmailer/phpmailerPackagist	>= 5.0.0, < 5.2.18	5.2.18

Affected products

Joomla/Joomla!
cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Range: >=1.5.0,<=3.6.5
Phpmailer Project/Phpmailer
cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*
Range: <5.2.18
WordPress/WordPress
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Range: <=4.7
Package: https://wordpress.org/plugins/wordpress

Patches

ed4e7ce8ad87

https://github.com/PHPMailer/PHPMailervia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

seclists.org/fulldisclosure/2016/Dec/78nvdMailing ListPatchThird Party AdvisoryWEB
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18nvdPatchVendor AdvisoryWEB
packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionnvdExploitThird Party AdvisoryWEB
www.securityfocus.com/bid/95108nvdBroken LinkExploitThird Party AdvisoryVDB Entry
legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlnvdExploitPatchThird Party AdvisoryWEB
www.exploit-db.com/exploits/40968/nvdExploitPatchThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/40969/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/40970/nvdExploitPatchThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/40974/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/40986/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/41962/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/41996/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/42024/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/42221/nvdExploitThird Party AdvisoryVDB Entry
www.securityfocus.com/archive/1/539963/100/0/threadednvdBroken LinkThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1037533nvdBroken LinkThird Party AdvisoryVDB Entry
developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlnvdThird Party AdvisoryWEB
github.com/advisories/GHSA-5f37-gxvh-23v6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-10033ghsaADVISORY
www.drupal.org/psa-2016-004nvdThird Party AdvisoryWEB
github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2016-10033.yamlghsaWEB
github.com/PHPMailer/PHPMailer/security/advisories/GHSA-5f37-gxvh-23v6ghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
www.exploit-db.com/exploits/40968ghsaWEB
www.exploit-db.com/exploits/40969ghsaWEB
www.exploit-db.com/exploits/40970ghsaWEB
www.exploit-db.com/exploits/40974ghsaWEB
www.exploit-db.com/exploits/40986ghsaWEB
www.exploit-db.com/exploits/41962ghsaWEB
www.exploit-db.com/exploits/41996ghsaWEB
www.exploit-db.com/exploits/42024ghsaWEB
www.exploit-db.com/exploits/42221ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.076
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000