Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5f37-gxvh-23v6

GitHub Security Advisory

Remote code execution in PHPMailer

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact
The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property.

### Patches
Fixed in 5.2.18

### Workarounds
Filter and validate user input before passing it to internal functions.

### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10033
Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045

### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)

Affected Packages

Packagist phpmailer/phpmailer
Affected versions: 5.0.0 (fixed in 5.2.18)

Related CVEs

CVE-2016-10033

Key Information

GHSA ID
GHSA-5f37-gxvh-23v6
Published
March 5, 2020 10:09 PM
Last Modified
April 14, 2025 10:06 PM
CVSS Score
9.0 /10
Primary Ecosystem
Packagist
Primary Package
phpmailer/phpmailer
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.