CVE-2016-10074

Name: CVE-2016-10074
Creator: NVD / NIST
Published: 2016-12-30T19:59:00.31+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 41.83%

Last modified Jun 17, 2026

CVE-2016-10074 is a vulnerability of currently unknown severity. The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.. EPSS estimates a 41.83% chance of exploitation in the next 30 days.

Description

The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.

Metrics

EPSS Probability

41.83%

98.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-77

Affected Software

Vendor	Product	Versions
Swiftmailer	Swiftmailer	<= 5.4.4

References

http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.htmlExploit, Third Party Advisory
http://seclists.org/fulldisclosure/2016/Dec/86Exploit, Mailing List
http://www.debian.org/security/2017/dsa-3769
http://www.securityfocus.com/bid/95140Third Party Advisory, VDB Entry
https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGESPatch, Vendor Advisory
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.htmlExploit, Technical Description, Third Party Advisory
https://www.exploit-db.com/exploits/40972/Exploit, Third Party Advisory
https://www.exploit-db.com/exploits/40986/
https://www.exploit-db.com/exploits/42221/
http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.htmlExploit, Third Party Advisory
http://seclists.org/fulldisclosure/2016/Dec/86Exploit, Mailing List
http://www.debian.org/security/2017/dsa-3769
http://www.securityfocus.com/bid/95140Third Party Advisory, VDB Entry
https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGESPatch, Vendor Advisory
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.htmlExploit, Technical Description, Third Party Advisory
https://www.exploit-db.com/exploits/40972/Exploit, Third Party Advisory
https://www.exploit-db.com/exploits/40986/
https://www.exploit-db.com/exploits/42221/

Timeline

Published: Dec 30, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-10074?

How severe is CVE-2016-10074?

Severity scoring for CVE-2016-10074 is pending analysis. The EPSS model estimates a 41.83% probability of exploitation in the next 30 days.

How do I fix CVE-2016-10074?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-10074?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST