CVE-2016-10045

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-10045

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10045.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-10045

Aliases

GHSA-4pc3-96mx-wwc8

Downstream

ALPINE-CVE-2016-10045

UBUNTU-CVE-2016-10045

USN-5956-1

Published

2016-12-30T19:59:00Z

Modified

2025-10-14T15:08:09.989834Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

References

Affected packages

Git / github.com/phpmailer/phpmailer

Affected ranges

Type: GIT
Repo: https://github.com/phpmailer/phpmailer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

efde5edb3da8e1d257e030e3c2d922c4de6e5d09

Type: GIT
Repo: https://github.com/wordpress/wordpress
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3506bfe7d5abbb8facd0b80f50fe2e90e22f192a

Type: GIT
Repo: https://github.com/wordpress/wordpress-develop
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dad62d94743c6c245bed2e3852b32dc1f271a019

Affected versions

v2.*

v2.2.1

v5.*

v5.2.0

v5.2.1

v5.2.10

v5.2.11

v5.2.12

v5.2.13

v5.2.14

v5.2.15

v5.2.16

v5.2.17

v5.2.18

v5.2.19

v5.2.2

v5.2.4

v5.2.5

v5.2.6

v5.2.7

v5.2.8

v5.2.9