{"api_version":"1","generated_at":"2026-04-23T09:38:32+00:00","cve":"CVE-2016-10045","urls":{"html":"https://cve.report/CVE-2016-10045","api":"https://cve.report/api/cve/CVE-2016-10045.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-10045","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-10045"},"summary":{"title":"CVE-2016-10045","description":"The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2016-12-30 19:59:00","updated_at":"2021-09-30 16:30:00"},"problem_types":["CWE-77"],"metrics":[],"references":[{"url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","name":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"CVE-2016-10033 PHPMailer Sendmail Argument Injection | Rapid7","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40969/","name":"40969","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory"],"title":"PHPMailer < 5.2.20 - Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","name":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities · PHPMailer/PHPMailer Wiki · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/539967/100/0/threaded","name":"20161228 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/42221/","name":"42221","refsource":"EXPLOIT-DB","tags":[],"title":"PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2016/Dec/81","name":"20161227 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)","refsource":"FULLDISC","tags":["Mailing List","Patch"],"title":"Full Disclosure: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1037533","name":"1037533","refsource":"SECTRACK","tags":[],"title":"PHPMailer Input Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/95130","name":"95130","refsource":"BID","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"PHPMailer CVE-2016-10045 Incomplete Fix Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","name":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"PHPMailer Sendmail Argument Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"PHPMailer Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20","name":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Release PHPMailer 5.2.20 · PHPMailer/PHPMailer · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/40986/","name":"40986","refsource":"EXPLOIT-DB","tags":[],"title":"PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://openwall.com/lists/oss-security/2016/12/28/1","name":"[oss-security] 20161228 Re: PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","refsource":"MLIST","tags":["Mailing List","Patch"],"title":"oss-security - Re: PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html","name":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html","refsource":"MISC","tags":["Exploit","Patch","Third Party Advisory"],"title":"PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","name":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"[20161205] - PHPMailer Security Advisory","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-10045","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10045","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"10045","vulnerable":"1","versionEndIncluding":"3.6.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"joomla","cpe5":"joomla\\!","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"10045","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phpmailer_project","cpe5":"phpmailer","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"10045","vulnerable":"1","versionEndIncluding":"5.2.19","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phpmailer_project","cpe5":"phpmailer","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"10045","vulnerable":"1","versionEndIncluding":"4.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wordpress","cpe5":"wordpress","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-10045","qid":"199517","title":"Ubuntu Security Notification for PHPMailer Vulnerabilities (USN-5956-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-10045","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html"},{"name":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html"},{"name":"42221","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/42221/"},{"name":"40969","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40969/"},{"name":"20161228 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/539967/100/0/threaded"},{"name":"[oss-security] 20161228 Re: PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]","refsource":"MLIST","url":"http://openwall.com/lists/oss-security/2016/12/28/1"},{"name":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","refsource":"CONFIRM","url":"https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities"},{"name":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20","refsource":"CONFIRM","url":"https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20"},{"name":"40986","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/40986/"},{"name":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection","refsource":"MISC","url":"http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection"},{"name":"95130","refsource":"BID","url":"http://www.securityfocus.com/bid/95130"},{"name":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html","refsource":"MISC","url":"https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"},{"name":"20161227 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)","refsource":"FULLDISC","url":"http://seclists.org/fulldisclosure/2016/Dec/81"},{"name":"1037533","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1037533"},{"name":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html","refsource":"CONFIRM","url":"https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html"}]}},"nvd":{"publishedDate":"2016-12-30 19:59:00","lastModifiedDate":"2021-09-30 16:30:00","problem_types":["CWE-77"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.20","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","versionEndIncluding":"4.7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.0","versionEndIncluding":"3.6.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"10045","Ordinal":"101387","Title":"CVE-2016-10045","CVE":"CVE-2016-10045","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"10045","Ordinal":"1","NoteData":"The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"10045","Ordinal":"2","NoteData":"2016-12-30","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"10045","Ordinal":"3","NoteData":"2018-10-09","Type":"Other","Title":"Modified"}]}}}