CVE-2016-10033
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property.
Date published : 2016-12-30
http://www.securityfocus.com/bid/95108
http://www.securityfocus.com/archive/1/539963/100/0/threaded