High severity8.1NVD Advisory· Published Nov 15, 2017· Updated Jun 17, 2026
CVE-2017-15806
CVE-2017-15806
Description
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zetacomponents/mailPackagist | < 1.8.2 | 1.8.2 |
Affected products
2Patches
Vulnerability mechanics
References
12- www.securityfocus.com/bid/101866nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-hgr8-g756-vmg9ghsaADVISORY
- github.com/zetacomponents/Mail/issues/58nvdIssue TrackingThird Party AdvisoryWEB
- github.com/zetacomponents/Mail/releases/tag/1.8.2nvdIssue TrackingRelease NotesThird Party AdvisoryWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/nvdIssue TrackingThird Party Advisory
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/nvdIssue TrackingThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-15806ghsaADVISORY
- www.exploit-db.com/exploits/43155/nvdIssue TrackingThird Party AdvisoryVDB Entry
- github.com/FriendsOfPHP/security-advisories/blob/master/zetacomponents/mail/CVE-2017-15806.yamlghsaWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerabilityghsaWEB
- kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dongghsaWEB
- www.exploit-db.com/exploits/43155ghsaWEB
News mentions
0No linked articles in our index yet.