Cyber Resilience

CVE-2016-10033

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 30 December 2016

Published
30 December 2016
Modified
21 April 2026
KEV Added
07 July 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9442 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-10033 is a critical-severity Argument Injection (CWE-88) vulnerability in Phpmailer Project Phpmailer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2016-10033 is present in the mailSend function of the isMail transport in PHPMailer versions before 5.2.18. It arises from insufficient neutralization of the Sender property, allowing a backslash double quote sequence to inject additional arguments into the mail command and is tracked as CWE-88 with a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can supply a crafted Sender value when an application uses the vulnerable PHPMailer instance to send mail. This permits arbitrary parameters to be passed to the mail binary, enabling execution of attacker-controlled commands on the underlying system.

Public exploit code and Metasploit modules demonstrating the injection are referenced in disclosures on PacketStorm, Seclists full-disclosure, and Rapid7, confirming that the issue is remotely exploitable in default configurations without requiring user interaction.

EU & UK References

Vulnerability details

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

CWE(s)
KEV Date Added
07 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpmailer project
phpmailer
≤ 5.2.18
wordpress
wordpress
≤ 4.7
joomla
joomla\!
1.5.0 — 3.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of the Sender property to block backslash-doublequote argument injection into the mail binary.

prevent

Mandates timely patching or replacement of the vulnerable PHPMailer <5.2.18 isMail transport that permits the CWE-88 injection.

prevent

Enforces least functionality by disabling the mail() transport or restricting the mail binary, eliminating the injection surface exploited by crafted Sender values.

References