Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-4pc3-96mx-wwc8

CRITICAL

Remote code execution in PHPMailer

Also known asCVE-2016-10045
Published
Mar 5, 2020
Updated
Apr 14, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
10 known

EPSS Exploitation Probability

via FIRST.org ↗
93.1%probability of exploitation in next 30 days
Very High Risk100th percentile-0.34%
92.6%93.1%93.6%94.1%93.5%93.1%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐘phpmailer/phpmailer

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Impact

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

This issue really emphasises that it's worth avoiding the built-in PHP mail() function entirely.

Patches

Fixed in 5.2.20

Workarounds

Send via SMTP to localhost instead of calling the mail() function.

References

https://nvd.nist.gov/vuln/detail/CVE-2016-10045 See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033

For more information

If you have any questions or comments about this advisory:

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistphpmailer/phpmailer5.0.0&&< 5.2.205.2.20
Exploits & PoCs
10

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

EDB-40986webappsphp

PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution

by Dawid Golunski · Jan 2, 2017

Exploit-DB Source
EDB-42221webappsphp

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution

by phackt_ul · Jun 21, 2017

Exploit-DB Source
EDB-40969webappsphp

PHPMailer < 5.2.20 - Remote Code Execution

by Dawid Golunski · Dec 27, 2016

Exploit-DB Source

Frequently Asked Questions

### Impact The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. This issue really emphasises that it&#39;s worth avoiding the built-in PHP `mail()` function entirely. ### Patches Fixed in 5.2.20 ### Workarounds Send via SMTP to localhost instead of calling the `mail()`
O3 Security · Impact-Aware SCA

Is GHSA-4pc3-96mx-wwc8 in your stack?

O3 detects GHSA-4pc3-96mx-wwc8 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my stack How O3 SCA works