CVE-2016-10033
Published: 30 December 2016
Summary
CVE-2016-10033 is a critical-severity Argument Injection (CWE-88) vulnerability in Phpmailer Project Phpmailer. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2016-10033 is present in the mailSend function of the isMail transport in PHPMailer versions before 5.2.18. It arises from insufficient neutralization of the Sender property, allowing a backslash double quote sequence to inject additional arguments into the mail command and is tracked as CWE-88 with a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can supply a crafted Sender value when an application uses the vulnerable PHPMailer instance to send mail. This permits arbitrary parameters to be passed to the mail binary, enabling execution of attacker-controlled commands on the underlying system.
Public exploit code and Metasploit modules demonstrating the injection are referenced in disclosures on PacketStorm, Seclists full-disclosure, and Rapid7, confirming that the issue is remotely exploitable in default configurations without requiring user interaction.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0331
Vulnerability details
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
- CWE(s)
- KEV Date Added
- 07 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of the Sender property to block backslash-doublequote argument injection into the mail binary.
Mandates timely patching or replacement of the vulnerable PHPMailer <5.2.18 isMail transport that permits the CWE-88 injection.
Enforces least functionality by disabling the mail() transport or restricting the mail binary, eliminating the injection surface exploited by crafted Sender values.