{"api_version":"1","generated_at":"2026-04-23T09:37:04+00:00","cve":"CVE-2016-10033","urls":{"html":"https://cve.report/CVE-2016-10033","api":"https://cve.report/api/cve/CVE-2016-10033.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-10033","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-10033"},"summary":{"title":"CVE-2016-10033","description":"The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted Sender property.","state":"PUBLISHED","assigner":"mitre","published_at":"2016-12-30 19:59:00","updated_at":"2026-04-21 16:27:03"},"problem_types":["CWE-88","n/a","CWE-88 CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://www.exploit-db.com/exploits/41996/","name":"https://www.exploit-db.com/exploits/41996/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Vanilla Forums < 2.3 - Remote Code Execution - PHP remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html","name":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"],"title":"PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","name":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer Sendmail Argument Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/539963/100/0/threaded","name":"http://www.securityfocus.com/archive/1/539963/100/0/threaded","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40986/","name":"https://www.exploit-db.com/exploits/40986/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/95108","name":"http://www.securityfocus.com/bid/95108","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer CVE-2016-10033 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1037533","name":"http://www.securitytracker.com/id/1037533","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"PHPMailer Input Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40974/","name":"https://www.exploit-db.com/exploits/40974/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.18 - Remote Code Execution (Python) - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","name":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"CVE-2016-10033 PHPMailer Sendmail Argument Injection | Rapid7","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40969/","name":"https://www.exploit-db.com/exploits/40969/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.20 - Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18","name":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"Release PHPMailer 5.2.18 · PHPMailer/PHPMailer · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/42024/","name":"https://www.exploit-db.com/exploits/42024/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit) - PHP remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40970/","name":"https://www.exploit-db.com/exploits/40970/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.18 - Remote Code Execution (PHP)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40968/","name":"https://www.exploit-db.com/exploits/40968/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.18 - Remote Code Execution (Bash)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/42221/","name":"https://www.exploit-db.com/exploits/42221/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2016/Dec/78","name":"http://seclists.org/fulldisclosure/2016/Dec/78","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","Third Party Advisory"],"title":"Full Disclosure: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/41962/","name":"https://www.exploit-db.com/exploits/41962/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WordPress 4.6 - Unauthenticated Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","name":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"[20161205] - PHPMailer Security Advisory","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","name":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities · PHPMailer/PHPMailer Wiki · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.drupal.org/psa-2016-004","name":"https://www.drupal.org/psa-2016-004","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004 | Drupal.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-10033","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10033","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[{"source":"ADP","time":"2025-07-07T00:00:00.000Z","lang":"en","value":"CVE-2016-10033 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"10033","vulnerable":"1","versionEndIncluding":"3.6.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"joomla","cpe5":"joomla\\!","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"10033","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phpmailer_project","cpe5":"phpmailer","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"10033","vulnerable":"1","versionEndIncluding":"4.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wordpress","cpe5":"wordpress","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2016","cve_id":"10033","cve":"CVE-2016-10033","vendorProject":"PHP","product":"PHPMailer","vulnerabilityName":"PHPMailer Command Injection Vulnerability","dateAdded":"2025-07-07","shortDescription":"PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.","requiredAction":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","dueDate":"2025-07-28","knownRansomwareCampaignUse":"Unknown","notes":"This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18 ; https://github.com/advisories/GHSA-5f37-gxvh-23v6 ; https://nvd.nist.gov/vuln/detail/CVE-2016-10033","cwes":"CWE-77,CWE-88","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:10"},"epss":{"cve_year":"2016","cve_id":"10033","cve":"CVE-2016-10033","epss":"0.944650000","percentile":"0.999960000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:15"},"legacy_qids":[{"cve":"CVE-2016-10033","qid":"199517","title":"Ubuntu Security Notification for PHPMailer Vulnerabilities (USN-5956-1)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T03:07:32.161Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.drupal.org/psa-2016-004"},{"name":"42221","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/42221/"},{"name":"40969","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/40969/"},{"name":"41962","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/41962/"},{"name":"40968","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/40968/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://www.securityfocus.com/archive/1/539963/100/0/threaded"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html"},{"name":"40974","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/40974/"},{"name":"40986","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/40986/"},{"name":"40970","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/40970/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"},{"name":"41996","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/41996/"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]","tags":["mailing-list","x_refsource_FULLDISC","x_transferred"],"url":"http://seclists.org/fulldisclosure/2016/Dec/78"},{"name":"95108","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/95108"},{"name":"1037533","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id/1037533"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"},{"name":"42024","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/42024/"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2016-10033","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-07-17T03:55:44.949090Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2025-07-07","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-88","description":"CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-21T23:55:47.202Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033"}],"timeline":[{"lang":"en","time":"2025-07-07T00:00:00.000Z","value":"CVE-2016-10033 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2016-12-25T00:00:00.000Z","descriptions":[{"lang":"en","value":"The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted Sender property."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-10-09T18:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.drupal.org/psa-2016-004"},{"name":"42221","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/42221/"},{"name":"40969","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/40969/"},{"name":"41962","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/41962/"},{"name":"40968","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/40968/"},{"tags":["x_refsource_MISC"],"url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://www.securityfocus.com/archive/1/539963/100/0/threaded"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html"},{"name":"40974","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/40974/"},{"name":"40986","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/40986/"},{"name":"40970","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/40970/"},{"tags":["x_refsource_MISC"],"url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"},{"name":"41996","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/41996/"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]","tags":["mailing-list","x_refsource_FULLDISC"],"url":"http://seclists.org/fulldisclosure/2016/Dec/78"},{"name":"95108","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/95108"},{"name":"1037533","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id/1037533"},{"tags":["x_refsource_CONFIRM"],"url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"},{"name":"42024","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/42024/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-10033","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted Sender property."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"name":"https://www.drupal.org/psa-2016-004","refsource":"CONFIRM","url":"https://www.drupal.org/psa-2016-004"},{"name":"42221","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/42221/"},{"name":"40969","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40969/"},{"name":"41962","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/41962/"},{"name":"40968","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40968/"},{"name":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html","refsource":"MISC","url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"},{"name":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18","refsource":"CONFIRM","url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/539963/100/0/threaded"},{"name":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","refsource":"CONFIRM","url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"name":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html"},{"name":"40974","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40974/"},{"name":"40986","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40986/"},{"name":"40970","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40970/"},{"name":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","refsource":"MISC","url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"},{"name":"41996","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/41996/"},{"name":"20161227 PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]","refsource":"FULLDISC","url":"http://seclists.org/fulldisclosure/2016/Dec/78"},{"name":"95108","refsource":"BID","url":"http://www.securityfocus.com/bid/95108"},{"name":"1037533","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1037533"},{"name":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","refsource":"CONFIRM","url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"},{"name":"42024","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/42024/"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-10033","datePublished":"2016-12-30T19:00:00.000Z","dateReserved":"2016-12-22T00:00:00.000Z","dateUpdated":"2025-10-21T23:55:47.202Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2016-12-30 19:59:00","lastModifiedDate":"2026-04-21 16:27:03","problem_types":["CWE-88","n/a","CWE-88 CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.18","matchCriteriaId":"9CFF1E1E-0F95-442C-B121-B438985E64C8"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","versionEndIncluding":"4.7","matchCriteriaId":"5C55F44C-4A71-4C47-9908-071A23D46939"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.0","versionEndIncluding":"3.6.5","matchCriteriaId":"0CD26A61-1228-43AC-AEAF-20BF83345F2D"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"10033","Ordinal":"1","Title":"CVE-2016-10033","CVE":"CVE-2016-10033","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"10033","Ordinal":"1","NoteData":"The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted Sender property.","Type":"Description","Title":"CVE-2016-10033"},{"CveYear":"2016","CveId":"10033","Ordinal":"2","NoteData":"2016-12-30","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"10033","Ordinal":"3","NoteData":"2018-10-09","Type":"Other","Title":"Modified"}]}}}