CVE-2016-10034

CRITICAL

Zend Framework < 2.4.11 and zend-mail < 2.4.11 - Remote Code Execution via Sendmail Adapter setFrom Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-10034. PoCs published by phackt_ul, Dawid Golunski, heikipikker.

AI-analyzed exploit summary This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Description

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Exploits (4)

exploitdb WORKING POC
by phackt_ul · pythonwebappsphp
https://www.exploit-db.com/exploits/42221

This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11
No auth needed
Prerequisites: Vulnerable PHP mail library · Exim MTA as the mail transfer agent · Access to a contact form or similar input vector
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Dawid Golunski · pythonwebappsphp
https://www.exploit-db.com/exploits/40986

This exploit targets multiple vulnerabilities in PHPMailer, SwiftMailer, and Zend-mail to achieve remote code execution via a contact form. It uploads a PHP backdoor containing a reverse shell payload to the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11
No auth needed
Prerequisites: Target must have a vulnerable version of PHPMailer, SwiftMailer, or Zend-mail · Target must have a contact form with default or known field names · Attacker must have a listener set up for the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Dawid Golunski · phpwebappsphp
https://www.exploit-db.com/exploits/40979

This PoC exploits a command injection vulnerability in Zend Framework's mail functionality (CVE-2016-10034) by injecting malicious parameters into the sendmail command via the 'From' email header. It writes a PHP file containing attacker-controlled code to a writable directory, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zend Framework < 2.4.11, zend-mail < 2.4.11, zend-mail < 2.7.2
No auth needed
Prerequisites: Sendmail MTA configured as the mail transport · Writable directory accessible by the web server user
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by heikipikker · poc
https://github.com/heikipikker/exploit-CVE-2016-10034

This repository contains a functional exploit for CVE-2016-10034, targeting PHPMailer versions before 5.2.18. The exploit leverages a vulnerability in the mailSend function to achieve remote code execution (RCE) by injecting malicious parameters into the mail command via a crafted From address.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHPMailer < 5.2.18
No auth needed
Prerequisites: Docker for vulnerable environment setup · Target running PHPMailer < 5.2.18 · PHP version < 5.2.0 or no PCRE installed for full exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201804-10
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42221/
Exploit, Technical Description, Vendor Advisory x_refsource_confirm
https://framework.zend.com/security/advisory/ZF2016-04
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40979/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037539
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40986/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95144

Scores

CVSS v3 9.8
EPSS 0.8232
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-77
Status published
Products (11)
zend/zend-mail 2.5.0
zend/zend-mail 2.5.1
zend/zend-mail 2.5.2
zend/zend-mail 2.6.0
zend/zend-mail 2.6.1
zend/zend-mail 2.6.2
zend/zend-mail 2.7.0
zend/zend-mail 2.7.1
zend/zend-mail < 2.4.10
zend/zend_framework < 2.4.10
... and 1 more
Published Dec 30, 2016
Tracked Since Feb 18, 2026