PHPMailer
Moderate fix1 remedy
cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 5.2.18
- <= 5.2.19
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
PHPMailer Remote Code Execution Vulnerability
Vulnerability
Exploited
Patched
A remote code execution vulnerability exists in PHPMailer versions prior to 5.2.18. The issue arises in the 'isMail' transport when the 'Sender' property is crafted to include additional parameters that are passed to the mail command. This exploitation allows for arbitrary code execution on the server where the vulnerable PHPMailer version is used.
Impact
Exploitation of this vulnerability allows for remote code execution on the server, executed in the context of the web server user.
Reproduction
To reproduce this vulnerability, upload a PHP file that will be executed via the web server. Then, send an email using PHPMailer's 'isMail' transport, setting the 'Sender' property to include the crafted parameters that exploit the vulnerability. This can be done through a contact form or similar functionality that uses PHPMailer to send emails.
Remediation
PHPMailer has released a patch for this vulnerability in version 5.2.20. Users are advised to update to this version or later.
Added: Mar 12, 2026, 8:54 AM
Updated: Mar 12, 2026, 8:54 AM