Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9vv6-nvpt-c3ef
Vulnerability ID VCID-9vv6-nvpt-c3ef
Aliases CVE-2007-3215
GHSA-6h78-85v2-mmch
Summary PHPMailer Shell command injection PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`. ### Impact Shell command injection, remotely exploitable if host application does not filter user data appropriately. ### Patches Fixed in 1.7.4 ### Workarounds Filter and validate user-supplied data before putting in the into the `Sender` property. ### References https://nvd.nist.gov/vuln/detail/CVE-2007-3215 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.04403 https://api.first.org/data/v1/epss?cve=CVE-2007-3215
generic_textual HIGH https://cxsecurity.com/issue/WLB-2007060063
generic_textual HIGH https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-6h78-85v2-mmch
generic_textual HIGH https://github.com/PHPMailer/PHPMailer
cvssv3.1_qr HIGH https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
generic_textual HIGH https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
generic_textual HIGH https://seclists.org/fulldisclosure/2011/Oct/223
generic_textual HIGH https://sourceforge.net/p/phpmailer/bugs/192
generic_textual HIGH https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution
generic_textual HIGH https://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2007-3215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
https://cxsecurity.com/issue/WLB-2007060063
https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
https://seclists.org/fulldisclosure/2011/Oct/223
https://sourceforge.net/p/phpmailer/bugs/192
https://sourceforge.net/p/phpmailer/bugs/192/
https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution
https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
https://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
429179 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429179
429194 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429194
GHSA-6h78-85v2-mmch https://github.com/advisories/GHSA-6h78-85v2-mmch
USN-791-1 https://usn.ubuntu.com/791-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.89172
EPSS Score 0.04403
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:44:01.815577+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6h78-85v2-mmch/GHSA-6h78-85v2-mmch.json 38.6.0