CVE-2016-10074

CRITICAL

SwiftMailer < 5.4.5 - Remote Code Execution via Mail Command Parameter Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-10074. PoCs published by phackt_ul, Dawid Golunski.

AI-analyzed exploit summary This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Description

The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.

Exploits (3)

exploitdb WORKING POC

by phackt_ul · pythonwebappsphp

https://www.exploit-db.com/exploits/42221

View Code ZIP pw:eip

This exploit targets PHPMailer, SwiftMailer, and Zend Framework mail libraries to achieve remote code execution via command injection in the email address field. It leverages Exim MTA's expansion mode and base64 encoding to bypass input validation and execute a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11

No auth needed

Prerequisites: Vulnerable PHP mail library · Exim MTA as the mail transfer agent · Access to a contact form or similar input vector

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Dawid Golunski · pythonwebappsphp

https://www.exploit-db.com/exploits/40986

View Code ZIP pw:eip

This exploit targets multiple vulnerabilities in PHPMailer, SwiftMailer, and Zend-mail to achieve remote code execution via a contact form. It uploads a PHP backdoor containing a reverse shell payload to the target server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, Zend Framework / zend-mail < 2.4.11

No auth needed

Prerequisites: Target must have a vulnerable version of PHPMailer, SwiftMailer, or Zend-mail · Target must have a contact form with default or known field names · Attacker must have a listener set up for the reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Dawid Golunski · phpwebappsphp

https://www.exploit-db.com/exploits/40972

View Code ZIP pw:eip

This exploit leverages a parameter injection vulnerability in SwiftMailer to execute arbitrary commands via the sendmail MTA. It injects malicious parameters into the 'From' field to write a PHP payload to a writable directory.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SwiftMailer <= 5.4.5-DEV

No auth needed

Prerequisites: Sendmail MTA · Writable directory by web user

MITRE ATT&CK