CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2016-10033

CVSS 9.8v3.1pub. 2016-12-30upd. 2026-04-21

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Joomla Joomla\!

    APP
    Joomla
    1.5.0 – 3.6.5
  • Phpmailer Project Phpmailer

    APP
    Phpmailer Project
    < 5.2.18
  • WordPress

    APP
    Wordpress
    ≤ 4.7

CISA KEV — detailsi

Vendori
PHP
Producti
PHPMailer
Added to KEVi
July 7, 2025
Remediation deadline (US Federal)i
July 28, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 28 lipca 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-48902CRITICAL9.8PL ✓ten sam produkt

Joomla! — degradacja szyfrowania transportu w linkach resetowania hasła i nazwy użytkownika

CVE-2025-25226CRITICAL9.8PL ✓ten sam produkt

SQL injection w metodzie quoteNameStr pakietu bazy danych Joomla Framework

CVE-2024-27185CRITICAL9.1PL ✓ten sam produkt

Joomla! — cache poisoning przez dowolne parametry w paginacji

CVE-2022-23799CRITICAL9.8ten sam produkt

An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-s...

CVE-2022-23797CRITICAL9.8ten sam produkt

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the sel...