All PHPMailer CVEs — Complete Vulnerability History
PHPMailer is the most widely-used PHP email library. Its historical CVEs include critical remote code execution — it has been a major target given how widely it's deployed.
PHP
3M+ weekly downloads
3 CVEs total
3 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2016-10033 | 2016 | CRITICAL | RCE via sender parameter injection | Fixed 5.2.18 |
| CVE-2016-10045 | 2016 | CRITICAL | RCE bypass of incomplete fix for CVE-2016-10033 | Fixed 5.2.20 |
| CVE-2021-3603 | 2021 | CRITICAL | RCE via SMTP server response injection | Fixed 6.5.0 |
Current safe version: 6.9.1
# Before "phpmailer/phpmailer": "^6.5"
# After "phpmailer/phpmailer": "^6.9"
Then run: composer install
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Are the 2016 PHPMailer RCE CVEs still relevant?
Yes — many legacy PHP applications still run vulnerable PHPMailer versions. The 2016 CVEs were the most exploited PHP vulnerabilities of that year. Any app on PHPMailer < 5.2.18 is critical priority.