The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Published: 2016-12-30

CVSS: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Download CVE-2016-10033 POC (Proof-of-Concept) here:

Tip: Download official Tor Browser at https://www.torproject.org/download/ to access .onion links.

https://connollyfinan.ie/poc-359-cve-2024-38476/

https://connollyfinan.ie/poc-15-cve-2025-53786/

https://connollyfinan.ie/poc-180-cve-2022-3236/

https://connollyfinan.ie/poc-297-cve-2019-10744/

https://connollyfinan.ie/poc-373-cve-2017-0143/