CVE-2017-5223

MEDIUM

PHPMailer < 5.2.22 - Unauthenticated Sensitive Information Exposure via msgHTML Image Attachment Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-5223. PoCs published by Maciek Krupa, cscli.

AI-analyzed exploit summary This exploit leverages a local file disclosure vulnerability in PHPMailer <= 5.2.21 by injecting an HTML img tag with a src attribute pointing to a local file (e.g., /etc/passwd) into an email message. The vulnerability allows an attacker to read arbitrary files on the server when the email is processed.

Description

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.

Exploits (2)

exploitdb WORKING POC
by Maciek Krupa · pythonwebappsphp
https://www.exploit-db.com/exploits/43056

This exploit leverages a local file disclosure vulnerability in PHPMailer <= 5.2.21 by injecting an HTML img tag with a src attribute pointing to a local file (e.g., /etc/passwd) into an email message. The vulnerability allows an attacker to read arbitrary files on the server when the email is processed.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHPMailer <= 5.2.21
No auth needed
Prerequisites: A contact form that sends HTML emails and allows sending a copy to the attacker's email
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cscli · poc
https://github.com/cscli/CVE-2017-5223

This PoC exploits CVE-2017-5223, a vulnerability in PHPMailer that allows arbitrary file read via malicious email attachments. The exploit crafts an email with an attachment path pointing to a sensitive file (e.g., /etc/passwd) and sends it using SMTP.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHPMailer (versions before 5.2.20)
No auth needed
Prerequisites: SMTP server access · PHPMailer library vulnerable to CVE-2017-5223
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95328
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43056/
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

Scores

CVSS v3 5.5
EPSS 0.0214
EPSS Percentile 79.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (2)
phpmailer/phpmailer 5.0.0 - 5.2.22Packagist
phpmailer_project/phpmailer < 5.2.21
Published Jan 16, 2017
Tracked Since Feb 18, 2026