Skip to main content

Breaking cybersecurity news

Vulnerability database

EU vulnerability data

Hands-on web security training

Security incidents database

Knowledge library

Analytics & trends

Follow us

Professional cybersecurity intelligence

Breaking cybersecurity news

Vulnerability database

EU vulnerability data

Hands-on web security training

Security incidents database

Knowledge library

Analytics & trends

Follow us

About Sources Sponsored Articles Status Legal Terms

v2.3.3•© 2026

Telegram Bluesky GitHub Contact

Return to CVE list

CVE-2016-10034

CVE-2016-10034

9.8

Critical

Published:30 Dec 2016

Last updated:17 Jun 2026

Source:cve@mitre.org

Modified

Weakness (CWE)

CWE-77Command Injection

CVSS Vector

v3.0

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.

Exploits

409792016-12-30webappsPHP

Zend Framework / zend-mail < 2.4.11 - Remote Code Execution

By Dawid Golunski

409862017-01-02webappsPHP

PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution

By Dawid Golunski

422212017-06-21webappsPHP

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution

By phackt_ul

References

cve@mitre.org

http://www.securityfocus.com/bid/95144

cve@mitre.org

http://www.securitytracker.com/id/1037539

cve@mitre.org

https://framework.zend.com/security/advisory/ZF2016-04

cve@mitre.org

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

cve@mitre.org

https://security.gentoo.org/glsa/201804-10

cve@mitre.org

https://www.exploit-db.com/exploits/40979/

cve@mitre.org

https://www.exploit-db.com/exploits/40986/

cve@mitre.org

https://www.exploit-db.com/exploits/42221/

af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/95144

af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1037539

af854a3a-2127-422b-91ae-364da2661108

https://framework.zend.com/security/advisory/ZF2016-04

af854a3a-2127-422b-91ae-364da2661108

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201804-10

af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/40979/

af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/40986/

af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/42221/