Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    757 vulnerabilities by php

    CVE-2026-14355 (GCVE-0-2026-14355)

    Vulnerability from nvd – Published: 2026-07-03 20:57 – Updated: 2026-07-06 13:57
    VLAI
    Title
    ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
    Summary
    In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based buffer overflow
    Assigner
    php
    Impacted products
    Vendor Product Version
    php php Affected: 8.2.0 , < 8.2.32 (semver)
    Affected: 8.3.0 , < 8.3.32 (semver)
    Affected: 8.4.0 , < 8.4.23 (semver)
    Affected: 8.5.0 , < 8.5.8 (semver)
    Create a notification for this product.
    Credits
    Oleg Baturin David CARLIER
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-04T15:25:16.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2026/07/msg00010.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T13:57:51.767008Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T13:57:58.387Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.php.net/",
              "defaultStatus": "affected",
              "modules": [
                "ext/openssl"
              ],
              "packageName": "openssl",
              "product": "php",
              "vendor": "php",
              "versions": [
                {
                  "lessThan": "8.2.32",
                  "status": "affected",
                  "version": "8.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.32",
                  "status": "affected",
                  "version": "8.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.23",
                  "status": "affected",
                  "version": "8.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.8",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Oleg Baturin"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "David CARLIER"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort.\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T20:59:02.604Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "name": "GitHub Security Advisory GHSA-7jrw-539f-x6vr",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-7jrw-539f-x6vr"
            }
          ],
          "source": {
            "advisory": "GHSA-7jrw-539f-x6vr",
            "defenseOmission": false,
            "discovery": "EXTERNAL"
          },
          "title": "ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-14355",
        "datePublished": "2026-07-03T20:57:31.958Z",
        "dateReserved": "2026-07-01T17:52:41.706Z",
        "dateUpdated": "2026-07-06T13:57:58.387Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45062 (GCVE-0-2026-45062)

    Vulnerability from nvd – Published: 2026-06-10 17:38 – Updated: 2026-06-11 14:00
    VLAI
    Title
    FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
    Summary
    FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-176 - Improper Handling of Unicode Encoding
    • CWE-178 - Improper Handling of Case Sensitivity
    Assigner
    References
    Impacted products
    Vendor Product Version
    php frankenphp Affected: >= 1.11.2, < 1.12.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45062",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T14:00:18.823214Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T14:00:50.845Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frankenphp",
              "vendor": "php",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.11.2, \u003c 1.12.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-176",
                  "description": "CWE-176: Improper Handling of Unicode Encoding",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-178",
                  "description": "CWE-178: Improper Handling of Case Sensitivity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T17:38:42.454Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
            },
            {
              "name": "https://github.com/php/frankenphp/releases/tag/v1.12.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/php/frankenphp/releases/tag/v1.12.3"
            }
          ],
          "source": {
            "advisory": "GHSA-3g8v-8r37-cgjm",
            "discovery": "UNKNOWN"
          },
          "title": "FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45062",
        "datePublished": "2026-06-10T17:38:42.454Z",
        "dateReserved": "2026-05-08T18:45:10.095Z",
        "dateUpdated": "2026-06-11T14:00:50.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7263 (GCVE-0-2026-7263)

    Vulnerability from nvd – Published: 2026-05-10 04:43 – Updated: 2026-06-30 12:11
    VLAI
    Title
    DoS attack via DOMNode::C14N()
    Summary
    In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-404 - Improper Resource Shutdown or Release
    • CWE-835 - Loop with unreachable exit condition ('infinite loop')
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    Assigner
    php
    Impacted products
    Date Public
    2026-05-07 00:00
    Credits
    Nikita Sveshnikov (Positive Technologies) Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:04:22.553796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:04:26.399Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T04:43:04.483Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP. The `DOMNode::C14N()` method may incorrectly process XML data due to the improper removal of an `xmlns` attribute from the underlying libxml2 data structure, corrupting the linked list representing the XML document and causing an infinite loop. This issue can lead to excessive resource consumption, eventually resulting in a denial of service in the processing application."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-835",
                    "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:11:00.489Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-7263"
              },
              {
                "name": "RHBZ#2468572",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468572"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7263.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22649"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:22649: Red Hat Enterprise Linux AppStream (v. 10)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T06:00:59.933Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T04:43:04.483Z",
                "value": "Made public."
              }
            ],
            "title": "php: denial of service via DOMNode::C14N()",
            "workarounds": [
              {
                "lang": "en",
                "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "dom",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Sveshnikov (Positive Technologies)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, \u003ccode\u003eDOMNode::C14N()\u003c/code\u003e\u0026nbsp;method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-404",
                  "description": "CWE-404 Improper Resource Shutdown or Release",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:46:28.150Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733"
            }
          ],
          "source": {
            "advisory": "GHSA-4jhr-8w89-j733",
            "discovery": "EXTERNAL"
          },
          "title": "DoS attack via DOMNode::C14N()",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7263",
        "datePublished": "2026-05-10T04:43:04.483Z",
        "dateReserved": "2026-04-28T05:12:25.217Z",
        "dateUpdated": "2026-06-30T12:11:00.489Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6104 (GCVE-0-2026-6104)

    Vulnerability from nvd – Published: 2026-05-10 04:35 – Updated: 2026-06-30 12:11
    VLAI
    Title
    Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
    Summary
    In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Date Public
    2026-05-07 00:00
    Credits
    Akshay Jain Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:04:44.572023Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:04:58.462Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T04:35:17.328Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP. When an encoding name containing an embedded NUL byte is passed to `mb_convert_encoding()` or related mbstring functions, an out-of-bounds read of only 1 byte can occur due to the incorrect processing of string lengths. This issue can cause a denial of service or limited information disclosure."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-125",
                    "description": "Out-of-bounds Read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:11:10.359Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-6104"
              },
              {
                "name": "RHBZ#2468573",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468573"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6104.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22649"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:22649: Red Hat Enterprise Linux AppStream (v. 10)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T06:01:02.802Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T04:35:17.328Z",
                "value": "Made public."
              }
            ],
            "title": "php: global buffer over-read in mb_convert_encoding() with attacker-supplied encoding",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, sanitize any input containing a NUL byte before calling the vulnerable mbstring functions. Also, verify your PHP configuration to ensure the vulnerable INI settings are using securely hardcoded encodings."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "mbstring",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Akshay Jain"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to \u003ccode\u003emb_convert_encoding()\u003c/code\u003e or related mbstring functions, the code incorrectly assumes that when\u0026nbsp;\u003ccode\u003estrncasecmp()\u003c/code\u003e\u0026nbsp;returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u003cspan\u003e\u0026nbsp;Affected functions include \u003c/span\u003e\u003ccode\u003emb_convert_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_detect_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_convert_variables()\u003c/code\u003e\u003cspan\u003e, and \u003c/span\u003e\u003ccode\u003emb_detect_order()\u003c/code\u003e\u003cspan\u003e, as well as the \u003c/span\u003e\u003ccode\u003embstring.detect_order\u003c/code\u003e\u003cspan\u003e and \u003c/span\u003e\u003ccode\u003embstring.http_output\u003c/code\u003e\u003cspan\u003e INI settings.\u003c/span\u003e"
                }
              ],
              "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when\u00a0strncasecmp()\u00a0returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u00a0Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:35:17.328Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53"
            }
          ],
          "source": {
            "advisory": "GHSA-74r9-qxhc-fx53",
            "discovery": "EXTERNAL"
          },
          "title": "Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-6104",
        "datePublished": "2026-05-10T04:35:17.328Z",
        "dateReserved": "2026-04-11T04:15:03.938Z",
        "dateUpdated": "2026-06-30T12:11:10.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7568 (GCVE-0-2026-7568)

    Vulnerability from nvd – Published: 2026-05-10 03:42 – Updated: 2026-07-02 12:05
    VLAI
    Title
    Signed integer overflow in metaphone()
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-125 - Out-of-bounds Read
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    Aleksey Solovev (Positive Technologies) Tim Düsterhus
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:25:08.120406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:25:17.197Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T03:42:36.433Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP. The metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When an input string is longer than 2,147,483,647 bytes, a signed integer overflow can occur, leading to undefined behavior and an out-of-bounds read. This issue can cause a denial of service."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-190",
                    "description": "Integer Overflow or Wraparound",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:05:11.835Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-7568"
              },
              {
                "name": "RHBZ#2468566",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468566"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7568.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23388"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22649"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34354"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22305"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22142"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22143"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33449"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:23388: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22649: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:34354: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22305: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22142: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22143: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33449: Red Hat Enterprise Linux AppStream (v. 9)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T05:01:02.287Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T03:42:36.433Z",
                "value": "Made public."
              }
            ],
            "title": "php: signed integer overflow in metaphone()",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, validate the length of any user-controlled input before passing it to the metaphone() function. Also, verify the PHP and web server configuration to ensure memory limits and maximum request sizes are restricted to below ~2 GiB."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aleksey Solovev (Positive Technologies)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Tim D\u00fcsterhus"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the \u003ccode\u003emetaphone()\u003c/code\u003e function in ext/standard/metaphone.c uses a \u003ccode\u003esigned int\u003c/code\u003e variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-92",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-92 Forced Integer Overflow"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:44:29.452Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57"
            }
          ],
          "source": {
            "advisory": "GHSA-96wq-48vp-hh57",
            "discovery": "EXTERNAL"
          },
          "title": "Signed integer overflow in metaphone()",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7568",
        "datePublished": "2026-05-10T03:42:36.433Z",
        "dateReserved": "2026-04-30T21:08:49.047Z",
        "dateUpdated": "2026-07-02T12:05:11.835Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7262 (GCVE-0-2026-7262)

    Vulnerability from nvd – Published: 2026-05-10 04:00 – Updated: 2026-07-02 12:05
    VLAI
    Title
    NULL pointer dereference in SOAP apache:Map decoder with missing <value>
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL pointer dereference
    • CWE-476 - NULL Pointer Dereference
    Assigner
    php
    References
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    Ilia Alshanetsky Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:14:44.873228Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:14:53.526Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T04:00:09.382Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP. When a PHP SOAP server has a typemap configured, the apache:Map decoding process checks the incorrect variable in case of a missing value element. This incorrect check leads to a NULL pointer dereference and allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in a denial of service."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-476",
                    "description": "NULL Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:05:12.161Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-7262"
              },
              {
                "name": "RHBZ#2468565",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468565"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7262.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23388"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22649"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34354"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22305"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22142"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22143"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33449"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:23388: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22649: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:34354: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22305: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22142: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22143: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33449: Red Hat Enterprise Linux AppStream (v. 9)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T05:00:59.484Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T04:00:09.382Z",
                "value": "Made public."
              }
            ],
            "title": "php: NULL pointer dereference in SOAP apache:Map decoder with missing \u003cvalue\u003e",
            "workarounds": [
              {
                "lang": "en",
                "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "soap",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ilia Alshanetsky"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u0026nbsp; This leads to\u0026nbsp;dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u00a0 This leads to\u00a0dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.9,
                "baseSeverity": "LOW",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL pointer dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:00:09.382Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv"
            }
          ],
          "source": {
            "advisory": "GHSA-hmxp-6pc4-f3vv",
            "discovery": "INTERNAL"
          },
          "title": "NULL pointer dereference in SOAP apache:Map decoder with missing \u003cvalue\u003e",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7262",
        "datePublished": "2026-05-10T04:00:09.382Z",
        "dateReserved": "2026-04-28T05:09:37.127Z",
        "dateUpdated": "2026-07-02T12:05:12.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7261 (GCVE-0-2026-7261)

    Vulnerability from nvd – Published: 2026-05-10 04:07 – Updated: 2026-05-11 13:14
    VLAI
    Title
    SoapServer session-persisted object use-after-free via SOAP header fault
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    References
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    Ilia Alshanetsky Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7261",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:14:14.879341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:14:26.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "soap",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ilia Alshanetsky"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when \u003ccode\u003eSoapServer\u003c/code\u003e is configured with \u003ccode\u003eSOAP_PERSISTENCE_SESSION\u003c/code\u003e, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use after free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:07:25.484Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q"
            }
          ],
          "source": {
            "advisory": "GHSA-m33r-qmcv-p97q",
            "discovery": "EXTERNAL"
          },
          "title": "SoapServer session-persisted object use-after-free via SOAP header fault",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7261",
        "datePublished": "2026-05-10T04:07:25.484Z",
        "dateReserved": "2026-04-28T05:08:46.198Z",
        "dateUpdated": "2026-05-11T13:14:26.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7259 (GCVE-0-2026-7259)

    Vulnerability from nvd – Published: 2026-05-10 04:13 – Updated: 2026-05-11 13:13
    VLAI
    Title
    Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    php
    References
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    Viet Hoang Luu (The University of Melbourne) Amirmohammad Pasdar (The University of Melbourne) Wachiraphan Charoenwet (The University of Melbourne) Shaanan Cohney (The University of Melbourne) Toby Murray (The University of Melbourne) Van-Thuan Pham (The University of Melbourne) Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:12:58.875843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:13:50.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "mbstring",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Viet Hoang Luu (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Amirmohammad Pasdar (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Wachiraphan Charoenwet (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shaanan Cohney (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Toby Murray (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Van-Thuan Pham (The University of Melbourne)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u0026nbsp;\u0026nbsp;a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u0026nbsp;\u003ccode\u003emb_regex_encoding()\u003c/code\u003e."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u00a0\u00a0a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u00a0mb_regex_encoding()."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:13:26.766Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75"
            }
          ],
          "source": {
            "advisory": "GHSA-wm6j-2649-pv75",
            "discovery": "EXTERNAL"
          },
          "title": "Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7259",
        "datePublished": "2026-05-10T04:13:26.766Z",
        "dateReserved": "2026-04-28T05:07:03.118Z",
        "dateUpdated": "2026-05-11T13:13:50.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7258 (GCVE-0-2026-7258)

    Vulnerability from nvd – Published: 2026-05-10 04:28 – Updated: 2026-05-11 13:06
    VLAI
    Title
    Out-of-bounds read in urldecode() on NetBSD
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    References
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    xfourj Ilija Tovilo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7258",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:05:55.470310Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:06:10.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "platforms": [
                "NetBSD"
              ],
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "xfourj"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u0026nbsp;\u003ccode\u003eisxdigit()\u003c/code\u003e). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u0026nbsp;can trigger a denial of service."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u00a0isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u00a0can trigger a denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:45:03.566Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
            }
          ],
          "source": {
            "advisory": "GHSA-m8rr-4c36-8gq4",
            "discovery": "EXTERNAL"
          },
          "title": "Out-of-bounds read in urldecode() on NetBSD",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-7258",
        "datePublished": "2026-05-10T04:28:14.520Z",
        "dateReserved": "2026-04-28T04:58:17.457Z",
        "dateUpdated": "2026-05-11T13:06:10.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6735 (GCVE-0-2026-6735)

    Vulnerability from nvd – Published: 2026-05-10 03:27 – Updated: 2026-05-11 13:25
    VLAI
    Title
    XSS within PHP-FPM status endpoint
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Date Public
    2026-05-07 12:56
    Credits
    conradfd@proton.me
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6735",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T13:25:43.011891Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T13:25:54.957Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "conradfd@proton.me"
            }
          ],
          "datePublic": "2026-05-07T12:56:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u0026nbsp;\u003cspan\u003eallows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePHP-FPM status page.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u00a0PHP-FPM status page."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T03:27:00.607Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f",
            "discovery": "EXTERNAL"
          },
          "title": "XSS within PHP-FPM status endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-6735",
        "datePublished": "2026-05-10T03:27:00.607Z",
        "dateReserved": "2026-04-21T00:39:47.273Z",
        "dateUpdated": "2026-05-11T13:25:54.957Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6722 (GCVE-0-2026-6722)

    Vulnerability from nvd – Published: 2026-05-10 04:19 – Updated: 2026-07-02 12:05
    VLAI
    Title
    Use-After-Free in SOAP using Apache map
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    brettgervasoni Ilija Tovilo Nora Dossche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6722",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T03:55:18.668Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T04:19:15.288Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP\u0027s SOAP extension. This vulnerability allows a remote attacker to execute arbitrary code on the affected system. The issue stems from a use-after-free error in the object deduplication mechanism, which can be triggered by sending a specially crafted SOAP request. This allows an attacker to manipulate memory and achieve remote code execution."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-825",
                    "description": "Expired Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:05:12.533Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-6722"
              },
              {
                "name": "RHBZ#2468560",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468560"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6722.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34354"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33449"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34354: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33449: Red Hat Enterprise Linux AppStream (v. 9)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T05:00:46.220Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T04:19:15.288Z",
                "value": "Made public."
              }
            ],
            "title": "php: php-soap: php-src: PHP SOAP extension: Remote Code Execution via use-after-free vulnerability",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "soap",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "brettgervasoni"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Ilija Tovilo"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Nora Dossche"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u0026nbsp;without incrementing their reference counts. When an \u003ccode\u003eapache:Map\u003c/code\u003e node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in \u003ccode\u003ethe map\u003c/code\u003e. A subsequent \u003ccode\u003ehref\u003c/code\u003e reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u00a0without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T04:19:15.288Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5"
            }
          ],
          "source": {
            "advisory": "GHSA-85c2-q967-79q5",
            "discovery": "EXTERNAL"
          },
          "title": "Use-After-Free in SOAP using Apache map",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2026-6722",
        "datePublished": "2026-05-10T04:19:15.288Z",
        "dateReserved": "2026-04-20T19:39:59.836Z",
        "dateUpdated": "2026-07-02T12:05:12.533Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14179 (GCVE-0-2025-14179)

    Vulnerability from nvd – Published: 2026-05-10 03:51 – Updated: 2026-06-30 12:07
    VLAI
    Title
    SQL injection in pdo_firebird via NUL bytes in quoted strings
    Summary
    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.2.* , < 8.2.31 (semver)
    Affected: 8.3.* , < 8.3.31 (semver)
    Affected: 8.4.* , < 8.4.21 (semver)
    Affected: 8.5.* , < 8.5.6 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Date Public
    2026-05-07 00:00
    Credits
    Aleksey Solovev (Positive Technologies) Nikita Sveshnikov (Positive Technologies) Ilija Tovilo Arnaud Le Blanc Saki Takamachi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T15:23:23.501909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T15:23:35.010Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-10T03:51:14.596Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in PHP. The PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This flaw allows SQL injection when attacker-controlled values are quoted via `PDO::quote()` and embedded in SQL\u00a0statements."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:24.427Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2025-14179"
              },
              {
                "name": "RHBZ#2468567",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468567"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14179.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-10T05:01:04.913Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-10T03:51:14.596Z",
                "value": "Made public."
              }
            ],
            "title": "php: SQL injection in pdo_firebird via NUL bytes in quoted strings",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this issue, do not use \u0027PDO::quote()\u0027 for manual query concatenation. Refactor the application to use native parameterized prepared statements. Additionally, implement an input validation mechanism to reject any user-supplied data containing control characters, specifically the NUL byte (\\x00)."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "pdo_firebird",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.2.31",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.31",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.21",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.6",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aleksey Solovev (Positive Technologies)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Sveshnikov (Positive Technologies)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ilija Tovilo"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Arnaud Le Blanc"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Saki Takamachi"
            }
          ],
          "datePublic": "2026-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via \u003ccode\u003estrncat()\u003c/code\u003e, which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via \u003ccode\u003ePDO::quote()\u003c/code\u003e and embedded in SQL\u0026nbsp;statements."
                }
              ],
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL\u00a0statements."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-10T03:51:14.596Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm"
            }
          ],
          "source": {
            "advisory": "GHSA-w476-322c-wpvm",
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection in pdo_firebird via NUL bytes in quoted strings",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-14179",
        "datePublished": "2026-05-10T03:51:14.596Z",
        "dateReserved": "2025-12-06T06:34:43.979Z",
        "dateUpdated": "2026-06-30T12:07:24.427Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24895 (GCVE-0-2026-24895)

    Vulnerability from nvd – Published: 2026-02-12 19:16 – Updated: 2026-02-12 20:04
    VLAI
    Title
    FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files
    Summary
    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
    Assigner
    Impacted products
    Vendor Product Version
    php frankenphp Affected: < 1.11.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24895",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:03:49.803836Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:04:07.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frankenphp",
              "vendor": "php",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.11.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.9,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-180",
                  "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:16:06.618Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"
            },
            {
              "name": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e"
            },
            {
              "name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
            }
          ],
          "source": {
            "advisory": "GHSA-g966-83w7-6w38",
            "discovery": "UNKNOWN"
          },
          "title": "FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24895",
        "datePublished": "2026-02-12T19:16:06.618Z",
        "dateReserved": "2026-01-27T19:35:20.529Z",
        "dateUpdated": "2026-02-12T20:04:07.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24894 (GCVE-0-2026-24894)

    Vulnerability from nvd – Published: 2026-02-12 19:12 – Updated: 2026-02-12 20:04
    VLAI
    Title
    FrankenPHP leaks session data between requests in worker mode
    Summary
    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    • CWE-384 - Session Fixation
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    php frankenphp Affected: < 1.11.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24894",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T20:04:24.224705Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T20:04:57.869Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frankenphp",
              "vendor": "php",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.11.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:12:04.387Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"
            },
            {
              "name": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"
            },
            {
              "name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
            }
          ],
          "source": {
            "advisory": "GHSA-r3xh-3r3w-47gp",
            "discovery": "UNKNOWN"
          },
          "title": "FrankenPHP leaks session data between requests in worker mode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24894",
        "datePublished": "2026-02-12T19:12:04.387Z",
        "dateReserved": "2026-01-27T19:35:20.529Z",
        "dateUpdated": "2026-02-12T20:04:57.869Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14180 (GCVE-0-2025-14180)

    Vulnerability from nvd – Published: 2025-12-27 19:21 – Updated: 2025-12-29 16:00
    VLAI
    Title
    NULL Pointer Dereference in PDO quoting
    Summary
    In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.34 (semver)
    Affected: 8.2.* , < 8.2.30 (semver)
    Affected: 8.3.* , < 8.3.29 (semver)
    Affected: 8.4.* , < 8.4.16 (semver)
    Affected: 8.5.* , < 8.5.1 (semver)
    Create a notification for this product.
    Date Public
    2025-12-18 00:00
    Credits
    Aleksey Solovev (Positive Technologies)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14180",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:59:59.281968Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T16:00:11.239Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "pdo",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.34",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.30",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.29",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.16",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.1",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aleksey Solovev (Positive Technologies)"
            }
          ],
          "datePublic": "2025-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \\x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.\u003cbr\u003e"
                }
              ],
              "value": "In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \\x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T19:21:20.768Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj"
            }
          ],
          "source": {
            "advisory": "GHSA-8xr5-qppj-gvwj",
            "discovery": "EXTERNAL"
          },
          "title": "NULL Pointer Dereference in PDO quoting",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-14180",
        "datePublished": "2025-12-27T19:21:20.768Z",
        "dateReserved": "2025-12-06T06:43:11.174Z",
        "dateUpdated": "2025-12-29T16:00:11.239Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14178 (GCVE-0-2025-14178)

    Vulnerability from nvd – Published: 2025-12-27 19:27 – Updated: 2026-01-24 11:04
    VLAI
    Title
    Heap buffer overflow in array_merge()
    Summary
    In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-787 - Out-of-bounds Write
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.34 (semver)
    Affected: 8.2.* , < 8.2.30 (semver)
    Affected: 8.3.* , < 8.3.29 (semver)
    Affected: 8.4.* , < 8.4.16 (semver)
    Affected: 8.5.* , < 8.5.1 (semver)
    Create a notification for this product.
    Date Public
    2025-12-18 00:00
    Credits
    Niels Dossche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14178",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T16:00:50.197017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T16:01:02.639Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-01-24T11:04:01.892Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00019.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "php",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.34",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.30",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.29",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.16",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.1",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Niels Dossche"
            }
          ],
          "datePublic": "2025-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T19:27:41.691Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2"
            }
          ],
          "source": {
            "advisory": "GHSA-h96m-rvf9-jgm2",
            "discovery": "INTERNAL"
          },
          "title": "Heap buffer overflow in array_merge()",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-14178",
        "datePublished": "2025-12-27T19:27:41.691Z",
        "dateReserved": "2025-12-06T06:25:31.535Z",
        "dateUpdated": "2026-01-24T11:04:01.892Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14177 (GCVE-0-2025-14177)

    Vulnerability from nvd – Published: 2025-12-27 19:33 – Updated: 2025-12-29 16:01
    VLAI
    Title
    Information Leak of Memory in getimagesize
    Summary
    In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.34 (semver)
    Affected: 8.2.* , < 8.2.30 (semver)
    Affected: 8.3.* , < 8.3.29 (semver)
    Affected: 8.4.* , < 8.4.16 (semver)
    Affected: 8.5.* , < 8.5.1 (semver)
    Create a notification for this product.
    Date Public
    2025-12-18 00:00
    Credits
    Nikita Sveshnikov (Positive Technologies)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14177",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T16:01:25.714908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T16:01:36.231Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "php",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.34",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.30",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.29",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.16",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.5.1",
                  "status": "affected",
                  "version": "8.5.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Nikita Sveshnikov (Positive Technologies)"
            }
          ],
          "datePublic": "2025-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T19:33:23.973Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7"
            }
          ],
          "source": {
            "advisory": "GHSA-3237-qqm7-mfv7",
            "discovery": "EXTERNAL"
          },
          "title": "Information Leak of Memory in getimagesize",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-14177",
        "datePublished": "2025-12-27T19:33:23.973Z",
        "dateReserved": "2025-12-06T06:23:06.907Z",
        "dateUpdated": "2025-12-29T16:01:36.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1735 (GCVE-0-2025-1735)

    Vulnerability from nvd – Published: 2025-07-13 22:27 – Updated: 2025-11-04 21:09
    VLAI
    Title
    pgsql extension does not check for errors during escaping
    Summary
    In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-476 - NULL Pointer Dereference
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.33 (semver)
    Affected: 8.2.* , < 8.2.29 (semver)
    Affected: 8.3.* , < 8.3.23 (semver)
    Affected: 8.4.* , < 8.4.10 (semver)
    Create a notification for this product.
    Date Public
    2025-07-03 12:27
    Credits
    Andres Freund
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1735",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-14T15:58:08.629332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-14T15:58:13.474Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:09:33.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00017.html"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/07/11/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "pgsql",
                "pdo_pgsql"
              ],
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.33",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.29",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.23",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.10",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andres Freund"
            }
          ],
          "datePublic": "2025-07-03T12:27:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This\u0026nbsp;could cause crashes if Postgres server rejects the string as invalid.\u0026nbsp;"
                }
              ],
              "value": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This\u00a0could cause crashes if Postgres server rejects the string as invalid."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-13T22:27:48.299Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3"
            }
          ],
          "source": {
            "advisory": "GHSA-hrwm-9436-5mv3",
            "discovery": "EXTERNAL"
          },
          "title": "pgsql extension does not check for errors during escaping",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1735",
        "datePublished": "2025-07-13T22:27:48.299Z",
        "dateReserved": "2025-02-27T04:04:57.553Z",
        "dateUpdated": "2025-11-04T21:09:33.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1220 (GCVE-0-2025-1220)

    Vulnerability from nvd – Published: 2025-07-13 22:18 – Updated: 2025-11-04 21:09
    VLAI
    Title
    Null byte termination in hostnames
    Summary
    In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.33 (semver)
    Affected: 8.2.* , < 8.2.29 (semver)
    Affected: 8.3.* , < 8.3.23 (semver)
    Affected: 8.4.* , < 8.4.10 (semver)
    Create a notification for this product.
    Date Public
    2025-07-03 12:27
    Credits
    Jihwan Kim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1220",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-14T15:58:46.330104Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-14T15:58:49.718Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:09:17.792Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00017.html"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/07/11/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.33",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.29",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.23",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.10",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jihwan Kim"
            }
          ],
          "datePublic": "2025-07-03T12:27:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.\u0026nbsp;"
                }
              ],
              "value": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-13T22:18:36.974Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r"
            }
          ],
          "source": {
            "advisory": "GHSA-453j-q27h-5p8x",
            "discovery": "EXTERNAL"
          },
          "title": "Null byte termination in hostnames",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1220",
        "datePublished": "2025-07-13T22:18:36.974Z",
        "dateReserved": "2025-02-11T04:54:48.211Z",
        "dateUpdated": "2025-11-04T21:09:17.792Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-6491 (GCVE-0-2025-6491)

    Vulnerability from nvd – Published: 2025-07-13 22:10 – Updated: 2025-11-04 21:14
    VLAI
    Title
    NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
    Summary
    In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.33 (semver)
    Affected: 8.2.* , < 8.2.29 (semver)
    Affected: 8.3.* , < 8.3.23 (semver)
    Affected: 8.4.* , < 8.4.10 (semver)
    Create a notification for this product.
    Date Public
    2025-07-03 12:27
    Credits
    Ahmed Lekssays
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6491",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-14T15:59:51.249317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-14T15:59:53.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:14:48.898Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00017.html"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/07/11/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "soap",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.33",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.29",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.23",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.10",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ahmed Lekssays"
            }
          ],
          "datePublic": "2025-07-03T12:27:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (\u0026gt;2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.\u0026nbsp;\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (\u003e2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-13T22:10:15.996Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x"
            }
          ],
          "source": {
            "advisory": "GHSA-453j-q27h-5p8x",
            "discovery": "EXTERNAL"
          },
          "title": "NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-6491",
        "datePublished": "2025-07-13T22:10:15.996Z",
        "dateReserved": "2025-06-22T03:05:22.008Z",
        "dateUpdated": "2025-11-04T21:14:48.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-11235 (GCVE-0-2024-11235)

    Vulnerability from nvd – Published: 2025-04-04 17:51 – Updated: 2026-02-26 18:28
    VLAI
    Title
    Reference counting in php_request_shutdown causes Use-After-Free
    Summary
    In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.4.* , < 8.4.5 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Create a notification for this product.
    Date Public
    2025-03-13 17:44
    Credits
    Junwha Hong
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11235",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-05T03:55:37.904684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:56.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Junwha Hong"
            }
          ],
          "datePublic": "2025-03-13T17:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or \u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003e??=\u0026nbsp;\u0026nbsp;\u003c/span\u003eoperator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.\u0026nbsp;"
                }
              ],
              "value": "In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=\u00a0\u00a0operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-04T17:55:56.918Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc",
            "discovery": "EXTERNAL"
          },
          "title": "Reference counting in php_request_shutdown causes Use-After-Free",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2024-11235",
        "datePublished": "2025-04-04T17:51:07.550Z",
        "dateReserved": "2024-11-15T06:26:33.249Z",
        "dateUpdated": "2026-02-26T18:28:56.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1861 (GCVE-0-2025-1861)

    Vulnerability from nvd – Published: 2025-03-30 05:57 – Updated: 2025-11-03 20:57
    VLAI
    Title
    Stream HTTP wrapper truncates redirect location to 1024 bytes
    Summary
    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-131 - Incorrect Calculation of Buffer Size
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.32 (semver)
    Affected: 8.2.* , < 8.2.28 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Affected: 8.4.* , < 8.4.5 (semver)
    Create a notification for this product.
    Date Public
    2025-03-23 17:44
    Credits
    Jakub Zelenka
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1861",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T12:55:53.101020Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T12:56:00.966Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:57:13.769Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250523-0005/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.32",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.28",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jakub Zelenka"
            }
          ],
          "datePublic": "2025-03-23T17:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-220",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-220 Client-Server Protocol Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-131",
                  "description": "CWE-131 Incorrect Calculation of Buffer Size",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-30T05:57:57.894Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-52jp-hrp",
            "discovery": "INTERNAL"
          },
          "title": "Stream HTTP wrapper truncates redirect location to 1024 bytes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1861",
        "datePublished": "2025-03-30T05:57:57.894Z",
        "dateReserved": "2025-03-03T04:47:51.192Z",
        "dateUpdated": "2025-11-03T20:57:13.769Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1736 (GCVE-0-2025-1736)

    Vulnerability from nvd – Published: 2025-03-30 05:49 – Updated: 2025-11-03 20:57
    VLAI
    Title
    Stream HTTP wrapper header check might omit basic auth header
    Summary
    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.32 (semver)
    Affected: 8.2.* , < 8.2.28 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Affected: 8.4.* , < 8.4.5 (semver)
    Create a notification for this product.
    Date Public
    2025-03-23 17:43
    Credits
    Jakub Zelenka
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T12:57:12.660404Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T12:57:22.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:57:10.963Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250523-0006/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.32",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.28",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jakub Zelenka"
            }
          ],
          "datePublic": "2025-03-23T17:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.\u0026nbsp;"
                }
              ],
              "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-33",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-33 HTTP Request Smuggling"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-30T05:49:14.551Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-hgf5-96f",
            "discovery": "INTERNAL"
          },
          "title": "Stream HTTP wrapper header check might omit basic auth header",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1736",
        "datePublished": "2025-03-30T05:49:14.551Z",
        "dateReserved": "2025-02-27T04:07:07.942Z",
        "dateUpdated": "2025-11-03T20:57:10.963Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1734 (GCVE-0-2025-1734)

    Vulnerability from nvd – Published: 2025-03-30 05:43 – Updated: 2025-11-03 20:57
    VLAI
    Title
    Streams HTTP wrapper does not fail for headers with invalid name and no colon
    Summary
    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.32 (semver)
    Affected: 8.2.* , < 8.2.28 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Affected: 8.4.* , < 8.4.5 (semver)
    Create a notification for this product.
    Date Public
    2025-03-23 17:43
    Credits
    Jakub Zelenka
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T14:21:51.418644Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-01T14:37:34.371Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:57:09.506Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250523-0009/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.32",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.28",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jakub Zelenka"
            }
          ],
          "datePublic": "2025-03-23T17:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers."
                }
              ],
              "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-273",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-273 HTTP Response Smuggling"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-30T05:43:35.771Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36",
            "discovery": "INTERNAL"
          },
          "title": "Streams HTTP wrapper does not fail for headers with invalid name and no colon",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1734",
        "datePublished": "2025-03-30T05:43:35.771Z",
        "dateReserved": "2025-02-27T04:03:59.544Z",
        "dateUpdated": "2025-11-03T20:57:09.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1219 (GCVE-0-2025-1219)

    Vulnerability from nvd – Published: 2025-03-30 05:33 – Updated: 2025-11-03 20:57
    VLAI
    Title
    libxml streams use wrong content-type header when requesting a redirected resource
    Summary
    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.32 (semver)
    Affected: 8.2.* , < 8.2.28 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Affected: 8.4.* , < 8.4.5 (semver)
    Create a notification for this product.
    Date Public
    2025-03-13 17:44
    Credits
    Tim Düsterhus
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1219",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T13:10:21.300276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1116",
                    "description": "CWE-1116 Inaccurate Comments",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T13:10:25.062Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:57:06.601Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250523-0007/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.32",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.28",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tim D\u00fcsterhus"
            }
          ],
          "datePublic": "2025-03-13T17:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, w\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehen requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong \u003c/span\u003e\u003ccode\u003econtent-type\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type\u00a0header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-220",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-220 Client-Server Protocol Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-30T05:33:13.801Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7",
            "discovery": "INTERNAL"
          },
          "title": "libxml streams use wrong content-type header when requesting a redirected resource",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1219",
        "datePublished": "2025-03-30T05:33:13.801Z",
        "dateReserved": "2025-02-11T04:52:06.072Z",
        "dateUpdated": "2025-11-03T20:57:06.601Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1217 (GCVE-0-2025-1217)

    Vulnerability from nvd – Published: 2025-03-29 05:19 – Updated: 2025-11-03 20:57
    VLAI
    Title
    Header parser of http stream wrapper does not handle folded headers
    Summary
    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.32 (semver)
    Affected: 8.2.* , < 8.2.28 (semver)
    Affected: 8.3.* , < 8.3.19 (semver)
    Affected: 8.4.* , < 8.4.5 (semver)
    Create a notification for this product.
    Date Public
    2025-03-13 17:43
    Credits
    Tim Düsterhus
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1217",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-31T13:23:16.683201Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-31T13:23:21.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:57:05.208Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250523-0008/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.32",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.28",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.19",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.4.5",
                  "status": "affected",
                  "version": "8.4.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tim D\u00fcsterhus"
            }
          ],
          "datePublic": "2025-03-13T17:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.\u0026nbsp;\u003c/p\u003e"
                }
              ],
              "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-273",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-273 HTTP Response Smuggling"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "AUTOMATIC",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-30T05:33:06.942Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpv",
            "discovery": "EXTERNAL"
          },
          "title": "Header parser of http stream wrapper does not handle folded headers",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2025-1217",
        "datePublished": "2025-03-29T05:19:33.696Z",
        "dateReserved": "2025-02-11T04:48:36.127Z",
        "dateUpdated": "2025-11-03T20:57:05.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-31631 (GCVE-0-2022-31631)

    Vulnerability from nvd – Published: 2025-02-12 22:10 – Updated: 2025-02-13 16:06
    VLAI
    Title
    PDO::quote() may return unquoted string
    Summary
    In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.0.x , < 8.0.27 (semver)
    Affected: 8.1.x , < 8.1.15 (semver)
    Affected: 8.2.x , < 8.2.2 (semver)
    Create a notification for this product.
    Date Public
    2022-12-19 13:27
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-02-12T23:02:37.689Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20230223-0007/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-31631",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T16:06:19.759677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T16:06:41.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://bugs.php.net/bug.php?id=81740"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "pdo_sqlite",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.0.27",
                  "status": "affected",
                  "version": "8.0.x",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.1.15",
                  "status": "affected",
                  "version": "8.1.x",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.2",
                  "status": "affected",
                  "version": "8.2.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2022-12-19T13:27:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.\u0026nbsp;\u0026nbsp;\u003c/p\u003e"
                }
              ],
              "value": "In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-12T22:10:45.418Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://bugs.php.net/bug.php?id=81740"
            }
          ],
          "source": {
            "advisory": "https://bugs.php.net/bug.php?id=81740",
            "discovery": "INTERNAL"
          },
          "title": "PDO::quote() may return unquoted string",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2022-31631",
        "datePublished": "2025-02-12T22:10:45.418Z",
        "dateReserved": "2022-05-25T21:03:32.861Z",
        "dateUpdated": "2025-02-13T16:06:41.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11233 (GCVE-0-2024-11233)

    Vulnerability from nvd – Published: 2024-11-24 01:08 – Updated: 2025-11-03 21:51
    VLAI
    Title
    Single byte overread with convert.quoted-printable-decode filter
    Summary
    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.31 (semver)
    Affected: 8.2.* , < 8.2.26 (semver)
    Affected: 8.3.* , < 8.3.14 (semver)
    Create a notification for this product.
    php_group php Affected: 8.1.0 , < 8.1.31 (custom)
    Affected: 8.2.0 , < 8.2.26 (custom)
    Affected: 8.3.0 , < 8.3.14 (custom)
        cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-21 18:15
    Credits
    Frostb1te
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-24T12:32:59.087887Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-24T12:41:42.881Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T21:51:48.654Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241220-0008/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00007.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "filters"
              ],
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.31",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.26",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.14",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Frostb1te"
            }
          ],
          "datePublic": "2024-11-21T18:15:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003econvert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.\u0026nbsp;\u003c/span\u003e"
                }
              ],
              "value": "In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in\u00a0convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-24T01:08:28.663Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-r977-prx",
            "discovery": "UNKNOWN"
          },
          "title": "Single byte overread with convert.quoted-printable-decode filter",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2024-11233",
        "datePublished": "2024-11-24T01:08:28.663Z",
        "dateReserved": "2024-11-15T06:22:38.785Z",
        "dateUpdated": "2025-11-03T21:51:48.654Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-11236 (GCVE-0-2024-11236)

    Vulnerability from nvd – Published: 2024-11-24 00:44 – Updated: 2025-11-03 21:51
    VLAI
    Title
    Integer overflow in the firebird and dblib quoters causing OOB writes
    Summary
    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.31 (semver)
    Affected: 8.2.* , < 8.2.26 (semver)
    Affected: 8.3.* , < 8.3.14 (semver)
    Create a notification for this product.
    php_group php Affected: 8.1.0 , < 8.1.31 (custom)
    Affected: 8.2.0 , < 8.2.26 (custom)
    Affected: 8.3.0 , < 8.3.14 (custom)
        cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-22 06:15
    Credits
    Niels Dossche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11236",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-24T12:32:23.996029Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-24T12:41:42.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T21:51:54.520Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241220-0008/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00007.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "pdo_firebird",
                "pdo_dblib"
              ],
              "platforms": [
                "32 bit"
              ],
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.31",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.26",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.14",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Niels Dossche"
            }
          ],
          "datePublic": "2024-11-22T06:15:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to \u003c/span\u003e\u003ccode\u003eldap_escape()\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape()\u00a0function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-24T00:51:28.805Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84",
            "discovery": "INTERNAL"
          },
          "title": "Integer overflow in the firebird and dblib quoters causing OOB writes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2024-11236",
        "datePublished": "2024-11-24T00:44:54.951Z",
        "dateReserved": "2024-11-15T06:27:40.425Z",
        "dateUpdated": "2025-11-03T21:51:54.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-11234 (GCVE-0-2024-11234)

    Vulnerability from nvd – Published: 2024-11-24 00:57 – Updated: 2025-11-03 21:51
    VLAI
    Title
    Configuring a proxy in a stream context might allow for CRLF injection in URIs
    Summary
    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    php
    Impacted products
    Vendor Product Version
    PHP Group PHP Affected: 8.1.* , < 8.1.31 (semver)
    Affected: 8.2.* , < 8.2.26 (semver)
    Affected: 8.3.* , < 8.3.14 (semver)
    Create a notification for this product.
    php_group php Affected: 8.1.0 , < 8.1.31 (custom)
    Affected: 8.2.0 , < 8.2.26 (custom)
    Affected: 8.3.0 , < 8.3.14 (custom)
        cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-21 18:15
    Credits
    Lorenzo Leonardini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:php_group:php:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "php",
                "vendor": "php_group",
                "versions": [
                  {
                    "lessThan": "8.1.31",
                    "status": "affected",
                    "version": "8.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.2.26",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.3.14",
                    "status": "affected",
                    "version": "8.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11234",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-24T12:32:39.294616Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-24T12:41:42.763Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T21:51:51.580Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241220-0008/"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00007.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PHP",
              "vendor": "PHP Group",
              "versions": [
                {
                  "lessThan": "8.1.31",
                  "status": "affected",
                  "version": "8.1.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.2.26",
                  "status": "affected",
                  "version": "8.2.*",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.3.14",
                  "status": "affected",
                  "version": "8.3.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lorenzo Leonardini"
            }
          ],
          "datePublic": "2024-11-21T18:15:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and \"request_fulluri\" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and \"request_fulluri\" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-24T00:57:39.349Z",
            "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
            "shortName": "php"
          },
          "references": [
            {
              "url": "https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2"
            }
          ],
          "source": {
            "advisory": "https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm",
            "discovery": "EXTERNAL"
          },
          "title": "Configuring a proxy in a stream context might allow for CRLF injection in URIs",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "assignerShortName": "php",
        "cveId": "CVE-2024-11234",
        "datePublished": "2024-11-24T00:57:39.349Z",
        "dateReserved": "2024-11-15T06:26:08.361Z",
        "dateUpdated": "2025-11-03T21:51:51.580Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }