Critical severity9.8NVD Advisory· Published Dec 30, 2016· Updated Jun 17, 2026
CVE-2016-10034
CVE-2016-10034
Description
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zendframework/zend-mailPackagist | < 2.4.11 | 2.4.11 |
zendframework/zend-mailPackagist | >= 2.5, <= 2.5.2 | — |
zendframework/zend-mailPackagist | >= 2.6, <= 2.6.2 | — |
zendframework/zend-mailPackagist | >= 2.7, < 2.7.2 | 2.7.2 |
Affected products
11cpe:2.3:a:zend:zend-mail:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:zend:zend-mail:*:*:*:*:*:*:*:*range: <=2.4.10
- cpe:2.3:a:zend:zend-mail:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-mail:2.7.1:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
13- framework.zend.com/security/advisory/ZF2016-04nvdExploitTechnical DescriptionVendor AdvisoryWEB
- legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.htmlnvdExploitTechnical DescriptionThird Party AdvisoryWEB
- www.securityfocus.com/bid/95144nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-r9mw-gwx9-v3h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10034ghsaADVISORY
- www.securitytracker.com/id/1037539nvdWEB
- security.gentoo.org/glsa/201804-10nvdWEB
- www.exploit-db.com/exploits/40979ghsaWEB
- www.exploit-db.com/exploits/40986ghsaWEB
- www.exploit-db.com/exploits/42221ghsaWEB
- www.exploit-db.com/exploits/40979/nvd
- www.exploit-db.com/exploits/40986/nvd
- www.exploit-db.com/exploits/42221/nvd
News mentions
0No linked articles in our index yet.