CVE-2016-10045

CRITICAL

PHPMailer < 5.2.20 - Remote Code Execution via Sendmail Argument Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-10045. PoCs published by phackt_ul, Dawid Golunski.

AI-analyzed exploit summary This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Description

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Exploits (3)

exploitdb WORKING POC

by phackt_ul · pythonwebappsphp

https://www.exploit-db.com/exploits/42221

View Code ZIP pw:eip

This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11

No auth needed

Prerequisites: Vulnerable PHP mail library · Exim MTA as the mail transfer agent · Access to a contact form or similar input vector

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Dawid Golunski · pythonwebappsphp

https://www.exploit-db.com/exploits/40986

View Code ZIP pw:eip

This exploit targets multiple vulnerabilities in PHPMailer, SwiftMailer, and Zend-mail to achieve remote code execution via a contact form. It uploads a PHP backdoor containing a reverse shell payload to the target server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11

No auth needed

Prerequisites: Target must have a vulnerable version of PHPMailer, SwiftMailer, or Zend-mail · Target must have a contact form with default or known field names · Attacker must have a listener set up for the reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Dawid Golunski · pythonwebappsphp

https://www.exploit-db.com/exploits/40969

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in PHPMailer versions < 5.2.20 via the 'email' parameter. It crafts a malicious payload to write arbitrary PHP code to a writable directory, achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PHPMailer < 5.2.20

No auth needed

Prerequisites: A writable directory on the target server · A vulnerable PHPMailer version · A contact form or similar input vector

MITRE ATT&CK