CVE-2016-10033

CRITICAL - CVSS 9.8CWE-88

Published: 12/30/2016

Modified: 10/22/2025

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Vulnerability Summary

CVSS v3 Score

9.8CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2 Score

7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE Classification

CWE-88