Vulnerability Database

309,084

Total vulnerabilities in the database

CVE-2017-15806

The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."

Published: Nov 15, 2017
Updated: Nov 9, 2025
CVE: CVE-2017-15806
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
zetacomponents / mail	-	1.8.2

http://www.securityfocus.com/bid/101866
https://github.com/zetacomponents/Mail/issues/58
https://github.com/zetacomponents/Mail/releases/tag/1.8.2
https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability/
https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong/
https://www.exploit-db.com/exploits/43155/

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo