PHP Web programming language
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in PHP.
Recent PHP Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 8.5.6 | 11 Vulnerabilities Fixed in PHP 8.5.6 | May 7, 2026 |
| 8.2.31 | 8 Vulnerabilities Fixed in PHP 8.2.31 | May 7, 2026 |
| 8.3.31 | 8 Vulnerabilities Fixed in PHP 8.3.31 | May 7, 2026 |
| 8.4.21 | 10 Vulnerabilities Fixed in PHP 8.4.21 | May 7, 2026 |
| 8.1.34 | 3 Vulnerabilities Fixed in PHP 8.1.34 | December 19, 2025 |
| 8.4.16 | 3 Vulnerabilities Fixed in PHP 8.4.16 | December 19, 2025 |
| 8.2.30 | 3 Vulnerabilities Fixed in PHP 8.2.30 | December 18, 2025 |
| 8.5.1 | 3 Vulnerabilities Fixed in PHP 8.5.1 | December 18, 2025 |
| 8.3.29 | 3 Vulnerabilities Fixed in PHP 8.3.29 | December 18, 2025 |
| 8.1.33 | 3 Vulnerabilities Fixed in PHP 8.1.33 | July 3, 2025 |
Known Exploited PHP Vulnerabilities
The following PHP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| PHP-CGI Query String Parameter Vulnerability |
sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code. CVE-2012-1823 Exploit Probability: 94.4% |
March 25, 2022 |
The vulnerability CVE-2012-1823: PHP-CGI Query String Parameter Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
PHP EOL Dates
Ensure that you are using a supported version of PHP. Here are some end of life, and end of support dates for PHP.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 8.5 | December 31, 2029 | December 31, 2027 |
Active
PHP 8.5 will become EOL in 3 years (in 2029). |
| 8.4 | December 31, 2028 | December 31, 2026 |
Active
PHP 8.4 will become EOL in two years (in 2028). |
| 8.3 | December 31, 2027 | December 31, 2025 |
Active
PHP 8.3 will become EOL next year, in December 2027. |
| 8.2 | December 31, 2026 | December 31, 2024 |
EOL This Year
PHP 8.2 will become EOL this year, in December 2026. |
| 8.1 | December 31, 2025 | November 25, 2023 |
EOL
PHP 8.1 became EOL in 2025 and supported ended in 2023 |
| 8.0 | November 26, 2023 | November 26, 2022 |
EOL
PHP 8.0 became EOL in 2023 and supported ended in 2022 |
| 7.4 | November 28, 2022 | November 28, 2021 |
EOL
PHP 7.4 became EOL in 2022 and supported ended in 2021 |
| 7.3 | December 6, 2021 | December 6, 2020 |
EOL
PHP 7.3 became EOL in 2021 and supported ended in 2020 |
| 7.2 | November 30, 2020 | November 30, 2019 |
EOL
PHP 7.2 became EOL in 2020 and supported ended in 2019 |
| 7.1 | December 1, 2019 | December 1, 2018 |
EOL
PHP 7.1 became EOL in 2019 and supported ended in 2018 |
| 7.0 | January 10, 2019 | January 4, 2018 |
EOL
PHP 7.0 became EOL in 2019 and supported ended in 2018 |
| 5.6 | December 31, 2018 | January 19, 2017 |
EOL
PHP 5.6 became EOL in 2018 and supported ended in 2017 |
| 5.5 | July 21, 2016 | July 10, 2015 |
EOL
PHP 5.5 became EOL in 2016 and supported ended in 2015 |
| 5.4 | September 14, 2015 | September 14, 2014 |
EOL
PHP 5.4 became EOL in 2015 and supported ended in 2014 |
| 5.3 | August 14, 2014 | June 30, 2011 |
EOL
PHP 5.3 became EOL in 2014 and supported ended in 2011 |
| 5.2 | January 6, 2011 | November 2, 2008 |
EOL
PHP 5.2 became EOL in 2011 and supported ended in 2008 |
| 5.1 | August 24, 2006 | August 24, 2006 |
EOL
PHP 5.1 became EOL in 2006 and supported ended in 2006 |
| 5.0 | September 5, 2005 | September 5, 2005 |
EOL
PHP 5.0 became EOL in 2005 and supported ended in 2005 |
By the Year
In 2026 there have been 11 vulnerabilities in PHP with an average score of 5.1 out of ten. Last year, in 2025 PHP had 15 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in PHP in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.12.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 11 | 5.10 |
| 2025 | 15 | 4.98 |
| 2024 | 18 | 7.03 |
| 2023 | 7 | 7.09 |
| 2022 | 9 | 8.28 |
| 2021 | 6 | 6.05 |
| 2020 | 15 | 6.13 |
| 2019 | 30 | 7.61 |
| 2018 | 21 | 7.37 |
It may take a day or so for new PHP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent PHP Security Vulnerabilities
PHP 8.4/8.5 (before 8.4.21/8.5.6) DOMNode::C14N() DoS via infinite loop
CVE-2026-7263
- May 10, 2026
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Improper Resource Shutdown or Release
PHP 8.4/8.5 mbstring NUL-byte Encoding OOB Read (fixed 8.4.21/8.5.6)
CVE-2026-6104
- May 10, 2026
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Out-of-bounds Read
PHP 8.2-8.5: signed char to ctype triggers DoS in urldecode
CVE-2026-7258
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Out-of-bounds Read
PHP 8.28.5 SOAP UAF RCE via dangling pointer
CVE-2026-6722
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Dangling pointer
Segfault DoS: PHP 8.28.5 via mb_regex_encoding NULL ptr deref
CVE-2026-7259
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
NULL Pointer Dereference
PHP 8.28.5 UAFREE in SoapServer before 8.2.31/8.3.31/8.4.21/8.5.6
CVE-2026-7261
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Dangling pointer
PHP SOAP Typemap Null Deref Crash (8.2-8.5 pre 8.2.31/8.3.31/8.4.21/8.5.6)
CVE-2026-7262
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
NULL Pointer Dereference
PHP 8.2-8.5 PDO Firebird SQLi via NUL Byte Injection
CVE-2025-14179
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
SQL Injection
DoS via int overflow PHP 8.x metaphone() (before 8.2.31/8.3.31/8.4.21/8.5.6)
CVE-2026-7568
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Integer Overflow or Wraparound
XSS via PHP-FPM Status Page (PHP < 8.5.6, 8.4.21, 8.3.31, 8.2.31)
CVE-2026-6735
- May 10, 2026
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
XSS
uriparser <1.0.1 numeric truncation in URI text range (gigabyte length)
CVE-2026-42371
5.1 - Medium
- April 27, 2026
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
Numeric Truncation Error
PHP 8.x getimagesize() Info Disclosure in APPn Segments (before 8.4.16)
CVE-2025-14177
- December 27, 2025
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Out-of-bounds Read
Heap Buffer Overflow IN PHP array_merge (8.18.5) pre 8.5.1
CVE-2025-14178
6.5 - Medium
- December 27, 2025
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Memory Corruption
PHP 8.x PDO PgSQL Emulate Prepares Null Deref Crash (CVE-2025-14180)
CVE-2025-14180
- December 27, 2025
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
NULL Pointer Dereference
Uriparser <=0.9.9 Recursion Stack overflow
CVE-2025-67899
2.9 - Low
- December 14, 2025
uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
Stack Exhaustion
PHP Prior 8.4.29: pgsql/PDO_PGSQL Escaping Ignores Quoting Errors
CVE-2025-1735
5.9 - Medium
- July 13, 2025
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
SQL Injection
PHP 8.x fsockopen Null Char Validation Flaw <8.1.33/8.2.29/8.3.23/8.4.10
CVE-2025-1220
3.7 - Low
- July 13, 2025
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
SSRF
PHP<8.x: NPD via XML NS Prefix in SOAP
CVE-2025-6491
5.9 - Medium
- July 13, 2025
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
NULL Pointer Dereference
CVE-2025-7381: PHP X-Powered-By Header Exposes PHP Version
CVE-2025-7381
- July 09, 2025
ImpactThis is an information disclosure vulnerability originating from PHP's base image. This vulnerability exposes the PHP version through an X-Powered-By header, which attackers could exploit to fingerprint the server and identify potential weaknesses. WorkaroundsThe mitigation requires changing the expose_php variable from "On" to "Off" in the file located at /usr/local/etc/php/php.ini.
UAF in PHP 8.3/8.4 via __set / ??= Operator
CVE-2024-11235
- April 04, 2025
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
Dangling pointer
PHP 8.1-8.4 DOM/SimpleXML Charset Header Bypass on Redirect
CVE-2025-1219
- March 30, 2025
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
Inaccurate Comments
PHP Header Injection via Insufficient EOL Validation (<=8.1.32, <=8.2.28, <=8.3.19, <=8.4.5)
CVE-2025-1736
- March 30, 2025
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
Improper Input Validation
PHP 8.1-8.4 Lim. on HTTP Redirect Location Buffer (CVE-2025-1861)
CVE-2025-1861
- March 30, 2025
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Incorrect Calculation of Buffer Size
PHP <8.1.32/8.2.28/8.3.19/8.4.5: Invalid Headers Treated as Valid
CVE-2025-1734
- March 30, 2025
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
Improper Input Validation
PHP 8.x: Incorrect HTTP Response Header Parsing (v<8.1.32/8.2.28/8.3.19/8.4.5)
CVE-2025-1217
- March 29, 2025
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
Improper Input Validation
PHP PDO::quote() SQLi in SQLite with too long strings (8.2.2)
CVE-2022-31631
- February 12, 2025
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
PHP convert.quoted-printable-decode Filter Buffer Overread Vulnerability
CVE-2024-11233
4.8 - Medium
- November 24, 2024
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
Heap-based Buffer Overflow
PHP ldap_escape() Integer Overflow Vulnerability on 32-bit Systems
CVE-2024-11236
9.8 - Critical
- November 24, 2024
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
Memory Corruption
PHP Stream Proxy Request Smuggling Vulnerability
CVE-2024-11234
4.8 - Medium
- November 24, 2024
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
Improper Input Validation
PHP MySQL Client Heap Disclosure Vulnerability
CVE-2024-8929
5.8 - Medium
- November 22, 2024
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
Information Disclosure
PHP ldap_escape() Integer Overflow Vulnerability on 32-bit Systems
CVE-2024-8932
9.8 - Critical
- November 22, 2024
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
Memory Corruption
PHP 8.1,8.2,8.3 Cmd Injection via Windows Codepage (CVE-2024-8926)
CVE-2024-8926
8.1 - High
- October 08, 2024
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Shell injection
Arbitrary File Inclusion in PHP 8.18.3 via cgi.force_redirect
CVE-2024-8927
7.5 - High
- October 08, 2024
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
Insufficient Granularity of Access Control
PHP-FPM Log Pollution in PHP 8.18.3 (before 8.3.12)
CVE-2024-9026
3.3 - Low
- October 08, 2024
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
Improper Neutralization of Null Byte or NUL Character
Multipart Parsing flaw in PHP 8.18.1.30, 8.28.2.24: Data Exclusion (CVE-2024-8925)
CVE-2024-8925
3.1 - Low
- October 08, 2024
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
HTTP Request Smuggling
PHP OpenSSL PKCS1 PrivateDecrypt Vulnerable to Marvin Attack before 8.1.29
CVE-2024-2408
5.9 - Medium
- June 09, 2024
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
Side Channel Attack
PHP 8.1-8.3: Windows CGI Cmd Line Option Injection via Best-Fit CP
CVE-2024-4577
9.8 - Critical
- June 09, 2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Shell injection
PHP <8.1.29/8.2.20/8.3.8 Proc_Open Cmd Inject via Trailing Space
CVE-2024-5585
8.8 - High
- June 09, 2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Output Sanitization
PHP 8.1-8.3 FILTER_VALIDATE_URL allows invalid userinfo
CVE-2024-5458
5.3 - Medium
- June 09, 2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
Insufficient Verification of Data Authenticity
PHP 8.3.* DoS via mb_encode_mimeheader loop (before 8.3.5)
CVE-2024-2757
7.5 - High
- April 29, 2024
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
Resource Exhaustion
Password_hash null byte bug in PHP <8.1.28/8.2.18/8.3.5
CVE-2024-3096
6.5 - Medium
- April 29, 2024
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Improper Input Validation
PHP Cookie name flaw: insecure cookie treated as __Host-/__Secure-
CVE-2024-2756
6.5 - Medium
- April 29, 2024
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Improper Input Validation
PHP 8.1/8.2/8.3 cmd injection via proc_open() array syntax (< v8.1.28 / < v8.2.18 / < v8.3.5)
CVE-2024-1874
9.4 - Critical
- April 29, 2024
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Output Sanitization
CVE-2024-3566: CreateProcessBased Command Injection in Windows Apps
CVE-2024-3566
9.8 - Critical
- April 10, 2024
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
PHP CLI Server Heap Buffer Overflow via PHP_CLI_SERVER_WORKERS
CVE-2022-4900
6.2 - Medium
- November 02, 2023
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
Buffer Overflow
PHP <8.0.30/8.1.22/8.2.8 libxml External Entity Exposure
CVE-2023-3823
7.5 - High
- August 11, 2023
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
XXE
PHP Phar Directory Stack Buffer Overflow Before 8.0.30/8.1.22/8.2.8
CVE-2023-3824
9.8 - Critical
- August 11, 2023
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
Buffer Overflow
PHP <8.0.29/8.1.20/8.2.7 SOAP Digest Auth RNG Fail -> 31b Leak, Nonce Guess
CVE-2023-3247
4.3 - Medium
- July 22, 2023
In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.
Use of Insufficiently Random Values
PHP 8.0-8.2 password_verify Accepts Invalid Blowfish Hashes
CVE-2023-0567
6.2 - Medium
- March 01, 2023
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
Use of Password Hash With Insufficient Computational Effort
PHP 8.0-8.2 Path Resolution Buffer OVEFL (CVE-2023-0568)
CVE-2023-0568
8.1 - High
- February 16, 2023
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
Allocation of Resources Without Limits or Throttling
