Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qrb6-ar5k-eqha
Vulnerability ID VCID-qrb6-ar5k-eqha
Aliases CVE-2016-10034
GHSA-r9mw-gwx9-v3h5
Summary Command Injection The `setFrom` function in the Sendmail adapter in the zend-mail component might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code via a `\"` in a crafted e-mail address.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.82322 https://api.first.org/data/v1/epss?cve=CVE-2016-10034
cvssv3.1 9.8 https://framework.zend.com/security/advisory/ZF2016-04
generic_textual CRITICAL https://framework.zend.com/security/advisory/ZF2016-04
cvssv3.1 9.8 https://github.com/zendframework/zend-mail
generic_textual CRITICAL https://github.com/zendframework/zend-mail
cvssv3.1 9.8 https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
generic_textual CRITICAL https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2016-10034
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2016-10034
cvssv3.1 9.8 https://security.gentoo.org/glsa/201804-10
generic_textual CRITICAL https://security.gentoo.org/glsa/201804-10
cvssv3.1 9.8 https://www.exploit-db.com/exploits/40979
generic_textual CRITICAL https://www.exploit-db.com/exploits/40979
cvssv3.1 9.8 https://www.exploit-db.com/exploits/40986
generic_textual CRITICAL https://www.exploit-db.com/exploits/40986
cvssv3.1 9.8 https://www.exploit-db.com/exploits/42221
generic_textual CRITICAL https://www.exploit-db.com/exploits/42221
cvssv3.1 9.8 http://www.securityfocus.com/bid/95144
generic_textual CRITICAL http://www.securityfocus.com/bid/95144
cvssv3.1 9.8 http://www.securitytracker.com/id/1037539
generic_textual CRITICAL http://www.securitytracker.com/id/1037539
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2016-10034
https://framework.zend.com/security/advisory/ZF2016-04
https://github.com/zendframework/zend-mail
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
https://security.gentoo.org/glsa/201804-10
https://www.exploit-db.com/exploits/40979
https://www.exploit-db.com/exploits/40986
https://www.exploit-db.com/exploits/42221
http://www.securityfocus.com/bid/95144
http://www.securitytracker.com/id/1037539
CVE-2016-10034 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/40979.php
CVE-2016-10034 https://nvd.nist.gov/vuln/detail/CVE-2016-10034
Data source Exploit-DB
Date added Dec. 30, 2016
Description Zend Framework / zend-mail < 2.4.11 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date Dec. 30, 2016
Exploit type webapps
Platform php
Source update date Dec. 30, 2016
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://framework.zend.com/security/advisory/ZF2016-04
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/zendframework/zend-mail
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-10034
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201804-10
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/40979
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/40986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/42221
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/95144
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securitytracker.com/id/1037539
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99241
EPSS Score 0.82322
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:36:43.187080+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-mail/CVE-2016-10034.yml 38.6.0