PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to CVE-2016-10033 a critical remote code execution vulnerability, responsibly reported by Dawid Golunski.