Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1670 vulnerabilities by PHP
CVE-2026-45062 (GCVE-0-2026-45062)
Vulnerability from nvd – Published: 2026-06-10 17:38 – Updated: 2026-06-11 14:00
VLAI
Title
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/releases/tag/v1.12.3 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
>= 1.11.2, < 1.12.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45062",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T14:00:18.823214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:00:50.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.2, \u003c 1.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176: Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:38:42.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.12.3"
}
],
"source": {
"advisory": "GHSA-3g8v-8r37-cgjm",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45062",
"datePublished": "2026-06-10T17:38:42.454Z",
"dateReserved": "2026-05-08T18:45:10.095Z",
"dateUpdated": "2026-06-11T14:00:50.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7263 (GCVE-0-2026-7263)
Vulnerability from nvd – Published: 2026-05-10 04:43 – Updated: 2026-05-11 13:04
VLAI
Title
DoS attack via DOMNode::C14N()
Summary
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:04:22.553796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:04:26.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "dom",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nikita Sveshnikov (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, \u003ccode\u003eDOMNode::C14N()\u003c/code\u003e\u0026nbsp;method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:46:28.150Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733"
}
],
"source": {
"advisory": "GHSA-4jhr-8w89-j733",
"discovery": "EXTERNAL"
},
"title": "DoS attack via DOMNode::C14N()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7263",
"datePublished": "2026-05-10T04:43:04.483Z",
"dateReserved": "2026-04-28T05:12:25.217Z",
"dateUpdated": "2026-05-11T13:04:26.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6104 (GCVE-0-2026-6104)
Vulnerability from nvd – Published: 2026-05-10 04:35 – Updated: 2026-05-11 13:04
VLAI
Title
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Summary
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:04:44.572023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:04:58.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "mbstring",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Akshay Jain"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to \u003ccode\u003emb_convert_encoding()\u003c/code\u003e or related mbstring functions, the code incorrectly assumes that when\u0026nbsp;\u003ccode\u003estrncasecmp()\u003c/code\u003e\u0026nbsp;returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u003cspan\u003e\u0026nbsp;Affected functions include \u003c/span\u003e\u003ccode\u003emb_convert_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_detect_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_convert_variables()\u003c/code\u003e\u003cspan\u003e, and \u003c/span\u003e\u003ccode\u003emb_detect_order()\u003c/code\u003e\u003cspan\u003e, as well as the \u003c/span\u003e\u003ccode\u003embstring.detect_order\u003c/code\u003e\u003cspan\u003e and \u003c/span\u003e\u003ccode\u003embstring.http_output\u003c/code\u003e\u003cspan\u003e INI settings.\u003c/span\u003e"
}
],
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when\u00a0strncasecmp()\u00a0returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u00a0Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:35:17.328Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53"
}
],
"source": {
"advisory": "GHSA-74r9-qxhc-fx53",
"discovery": "EXTERNAL"
},
"title": "Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6104",
"datePublished": "2026-05-10T04:35:17.328Z",
"dateReserved": "2026-04-11T04:15:03.938Z",
"dateUpdated": "2026-05-11T13:04:58.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7568 (GCVE-0-2026-7568)
Vulnerability from nvd – Published: 2026-05-10 03:42 – Updated: 2026-05-11 13:25
VLAI
Title
Signed integer overflow in metaphone()
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7568",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:25:08.120406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:25:17.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tim D\u00fcsterhus"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the \u003ccode\u003emetaphone()\u003c/code\u003e function in ext/standard/metaphone.c uses a \u003ccode\u003esigned int\u003c/code\u003e variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
}
],
"impacts": [
{
"capecId": "CAPEC-92",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-92 Forced Integer Overflow"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:44:29.452Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57"
}
],
"source": {
"advisory": "GHSA-96wq-48vp-hh57",
"discovery": "EXTERNAL"
},
"title": "Signed integer overflow in metaphone()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7568",
"datePublished": "2026-05-10T03:42:36.433Z",
"dateReserved": "2026-04-30T21:08:49.047Z",
"dateUpdated": "2026-05-11T13:25:17.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7262 (GCVE-0-2026-7262)
Vulnerability from nvd – Published: 2026-05-10 04:00 – Updated: 2026-05-11 13:14
VLAI
Title
NULL pointer dereference in SOAP apache:Map decoder with missing <value>
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL pointer dereference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:14:44.873228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:14:53.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ilia Alshanetsky"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u0026nbsp; This leads to\u0026nbsp;dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u00a0 This leads to\u00a0dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.9,
"baseSeverity": "LOW",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL pointer dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:00:09.382Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv"
}
],
"source": {
"advisory": "GHSA-hmxp-6pc4-f3vv",
"discovery": "INTERNAL"
},
"title": "NULL pointer dereference in SOAP apache:Map decoder with missing \u003cvalue\u003e",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7262",
"datePublished": "2026-05-10T04:00:09.382Z",
"dateReserved": "2026-04-28T05:09:37.127Z",
"dateUpdated": "2026-05-11T13:14:53.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7261 (GCVE-0-2026-7261)
Vulnerability from nvd – Published: 2026-05-10 04:07 – Updated: 2026-05-11 13:14
VLAI
Title
SoapServer session-persisted object use-after-free via SOAP header fault
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use after free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:14:14.879341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:14:26.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ilia Alshanetsky"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when \u003ccode\u003eSoapServer\u003c/code\u003e is configured with \u003ccode\u003eSOAP_PERSISTENCE_SESSION\u003c/code\u003e, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:07:25.484Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q"
}
],
"source": {
"advisory": "GHSA-m33r-qmcv-p97q",
"discovery": "EXTERNAL"
},
"title": "SoapServer session-persisted object use-after-free via SOAP header fault",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7261",
"datePublished": "2026-05-10T04:07:25.484Z",
"dateReserved": "2026-04-28T05:08:46.198Z",
"dateUpdated": "2026-05-11T13:14:26.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7259 (GCVE-0-2026-7259)
Vulnerability from nvd – Published: 2026-05-10 04:13 – Updated: 2026-05-11 13:13
VLAI
Title
Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:12:58.875843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:13:50.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "mbstring",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Viet Hoang Luu (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Amirmohammad Pasdar (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Wachiraphan Charoenwet (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Shaanan Cohney (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Toby Murray (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Van-Thuan Pham (The University of Melbourne)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u0026nbsp;\u0026nbsp;a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u0026nbsp;\u003ccode\u003emb_regex_encoding()\u003c/code\u003e."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u00a0\u00a0a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u00a0mb_regex_encoding()."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:13:26.766Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75"
}
],
"source": {
"advisory": "GHSA-wm6j-2649-pv75",
"discovery": "EXTERNAL"
},
"title": "Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7259",
"datePublished": "2026-05-10T04:13:26.766Z",
"dateReserved": "2026-04-28T05:07:03.118Z",
"dateUpdated": "2026-05-11T13:13:50.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7258 (GCVE-0-2026-7258)
Vulnerability from nvd – Published: 2026-05-10 04:28 – Updated: 2026-05-11 13:06
VLAI
Title
Out-of-bounds read in urldecode() on NetBSD
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:05:55.470310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:06:10.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"NetBSD"
],
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xfourj"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u0026nbsp;\u003ccode\u003eisxdigit()\u003c/code\u003e). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u0026nbsp;can trigger a denial of service."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u00a0isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u00a0can trigger a denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:45:03.566Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
}
],
"source": {
"advisory": "GHSA-m8rr-4c36-8gq4",
"discovery": "EXTERNAL"
},
"title": "Out-of-bounds read in urldecode() on NetBSD",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7258",
"datePublished": "2026-05-10T04:28:14.520Z",
"dateReserved": "2026-04-28T04:58:17.457Z",
"dateUpdated": "2026-05-11T13:06:10.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6735 (GCVE-0-2026-6735)
Vulnerability from nvd – Published: 2026-05-10 03:27 – Updated: 2026-05-11 13:25
VLAI
Title
XSS within PHP-FPM status endpoint
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
Date Public
2026-05-07 12:56
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:25:43.011891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:25:54.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "conradfd@proton.me"
}
],
"datePublic": "2026-05-07T12:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u0026nbsp;\u003cspan\u003eallows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePHP-FPM status page.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u00a0PHP-FPM status page."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T03:27:00.607Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
}
],
"source": {
"advisory": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f",
"discovery": "EXTERNAL"
},
"title": "XSS within PHP-FPM status endpoint",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6735",
"datePublished": "2026-05-10T03:27:00.607Z",
"dateReserved": "2026-04-21T00:39:47.273Z",
"dateUpdated": "2026-05-11T13:25:54.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6722 (GCVE-0-2026-6722)
Vulnerability from nvd – Published: 2026-05-10 04:19 – Updated: 2026-05-12 03:55
VLAI
Title
Use-After-Free in SOAP using Apache map
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T03:55:18.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "brettgervasoni"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Nora Dossche"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u0026nbsp;without incrementing their reference counts. When an \u003ccode\u003eapache:Map\u003c/code\u003e node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in \u003ccode\u003ethe map\u003c/code\u003e. A subsequent \u003ccode\u003ehref\u003c/code\u003e reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u00a0without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:19:15.288Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5"
}
],
"source": {
"advisory": "GHSA-85c2-q967-79q5",
"discovery": "EXTERNAL"
},
"title": "Use-After-Free in SOAP using Apache map",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6722",
"datePublished": "2026-05-10T04:19:15.288Z",
"dateReserved": "2026-04-20T19:39:59.836Z",
"dateUpdated": "2026-05-12T03:55:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14179 (GCVE-0-2025-14179)
Vulnerability from nvd – Published: 2026-05-10 03:51 – Updated: 2026-05-11 15:23
VLAI
Title
SQL injection in pdo_firebird via NUL bytes in quoted strings
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:23:23.501909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:23:35.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "pdo_firebird",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
},
{
"lang": "en",
"type": "finder",
"value": "Nikita Sveshnikov (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ilija Tovilo"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Arnaud Le Blanc"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Saki Takamachi"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via \u003ccode\u003estrncat()\u003c/code\u003e, which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via \u003ccode\u003ePDO::quote()\u003c/code\u003e and embedded in SQL\u0026nbsp;statements."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL\u00a0statements."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T03:51:14.596Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm"
}
],
"source": {
"advisory": "GHSA-w476-322c-wpvm",
"discovery": "EXTERNAL"
},
"title": "SQL injection in pdo_firebird via NUL bytes in quoted strings",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2025-14179",
"datePublished": "2026-05-10T03:51:14.596Z",
"dateReserved": "2025-12-06T06:34:43.979Z",
"dateUpdated": "2026-05-11T15:23:35.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24894 (GCVE-0-2026-24894)
Vulnerability from nvd – Published: 2026-02-12 19:12 – Updated: 2026-02-12 20:04
VLAI
Title
FrankenPHP leaks session data between requests in worker mode
Summary
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/commit/24d6c991… | x_refsource_MISC |
| https://github.com/php/frankenphp/releases/tag/v1.11.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
< 1.11.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:04:24.224705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:04:57.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:12:04.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"
},
{
"name": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
}
],
"source": {
"advisory": "GHSA-r3xh-3r3w-47gp",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP leaks session data between requests in worker mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24894",
"datePublished": "2026-02-12T19:12:04.387Z",
"dateReserved": "2026-01-27T19:35:20.529Z",
"dateUpdated": "2026-02-12T20:04:57.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24895 (GCVE-0-2026-24895)
Vulnerability from nvd – Published: 2026-02-12 19:16 – Updated: 2026-02-12 20:04
VLAI
Title
FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files
Summary
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/commit/04fdc0c1… | x_refsource_MISC |
| https://github.com/php/frankenphp/releases/tag/v1.11.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
< 1.11.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:03:49.803836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:04:07.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:16:06.618Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"
},
{
"name": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
}
],
"source": {
"advisory": "GHSA-g966-83w7-6w38",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24895",
"datePublished": "2026-02-12T19:16:06.618Z",
"dateReserved": "2026-01-27T19:35:20.529Z",
"dateUpdated": "2026-02-12T20:04:07.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14177 (GCVE-0-2025-14177)
Vulnerability from nvd – Published: 2025-12-27 19:33 – Updated: 2025-12-29 16:01
VLAI
Title
Information Leak of Memory in getimagesize
Summary
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
Impacted products
Date Public
2025-12-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14177",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:01:25.714908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:01:36.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "php",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.1.34",
"status": "affected",
"version": "8.1.*",
"versionType": "semver"
},
{
"lessThan": "8.2.30",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.29",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.16",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.1",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nikita Sveshnikov (Positive Technologies)"
}
],
"datePublic": "2025-12-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.\u003c/p\u003e"
}
],
"value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-27T19:33:23.973Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7"
}
],
"source": {
"advisory": "GHSA-3237-qqm7-mfv7",
"discovery": "EXTERNAL"
},
"title": "Information Leak of Memory in getimagesize",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2025-14177",
"datePublished": "2025-12-27T19:33:23.973Z",
"dateReserved": "2025-12-06T06:23:06.907Z",
"dateUpdated": "2025-12-29T16:01:36.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45062 (GCVE-0-2026-45062)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:38 – Updated: 2026-06-11 14:00
VLAI
Title
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/releases/tag/v1.12.3 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
>= 1.11.2, < 1.12.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45062",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T14:00:18.823214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:00:50.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.2, \u003c 1.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176: Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:38:42.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.12.3"
}
],
"source": {
"advisory": "GHSA-3g8v-8r37-cgjm",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45062",
"datePublished": "2026-06-10T17:38:42.454Z",
"dateReserved": "2026-05-08T18:45:10.095Z",
"dateUpdated": "2026-06-11T14:00:50.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7263 (GCVE-0-2026-7263)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:43 – Updated: 2026-05-11 13:04
VLAI
Title
DoS attack via DOMNode::C14N()
Summary
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:04:22.553796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:04:26.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "dom",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nikita Sveshnikov (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, \u003ccode\u003eDOMNode::C14N()\u003c/code\u003e\u0026nbsp;method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:46:28.150Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733"
}
],
"source": {
"advisory": "GHSA-4jhr-8w89-j733",
"discovery": "EXTERNAL"
},
"title": "DoS attack via DOMNode::C14N()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7263",
"datePublished": "2026-05-10T04:43:04.483Z",
"dateReserved": "2026-04-28T05:12:25.217Z",
"dateUpdated": "2026-05-11T13:04:26.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6104 (GCVE-0-2026-6104)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:35 – Updated: 2026-05-11 13:04
VLAI
Title
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Summary
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:04:44.572023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:04:58.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "mbstring",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Akshay Jain"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to \u003ccode\u003emb_convert_encoding()\u003c/code\u003e or related mbstring functions, the code incorrectly assumes that when\u0026nbsp;\u003ccode\u003estrncasecmp()\u003c/code\u003e\u0026nbsp;returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u003cspan\u003e\u0026nbsp;Affected functions include \u003c/span\u003e\u003ccode\u003emb_convert_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_detect_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_convert_variables()\u003c/code\u003e\u003cspan\u003e, and \u003c/span\u003e\u003ccode\u003emb_detect_order()\u003c/code\u003e\u003cspan\u003e, as well as the \u003c/span\u003e\u003ccode\u003embstring.detect_order\u003c/code\u003e\u003cspan\u003e and \u003c/span\u003e\u003ccode\u003embstring.http_output\u003c/code\u003e\u003cspan\u003e INI settings.\u003c/span\u003e"
}
],
"value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when\u00a0strncasecmp()\u00a0returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u00a0Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:35:17.328Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53"
}
],
"source": {
"advisory": "GHSA-74r9-qxhc-fx53",
"discovery": "EXTERNAL"
},
"title": "Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6104",
"datePublished": "2026-05-10T04:35:17.328Z",
"dateReserved": "2026-04-11T04:15:03.938Z",
"dateUpdated": "2026-05-11T13:04:58.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7258 (GCVE-0-2026-7258)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:28 – Updated: 2026-05-11 13:06
VLAI
Title
Out-of-bounds read in urldecode() on NetBSD
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:05:55.470310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:06:10.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"NetBSD"
],
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xfourj"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u0026nbsp;\u003ccode\u003eisxdigit()\u003c/code\u003e). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u0026nbsp;can trigger a denial of service."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u00a0isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u00a0can trigger a denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:45:03.566Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
}
],
"source": {
"advisory": "GHSA-m8rr-4c36-8gq4",
"discovery": "EXTERNAL"
},
"title": "Out-of-bounds read in urldecode() on NetBSD",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7258",
"datePublished": "2026-05-10T04:28:14.520Z",
"dateReserved": "2026-04-28T04:58:17.457Z",
"dateUpdated": "2026-05-11T13:06:10.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6722 (GCVE-0-2026-6722)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:19 – Updated: 2026-05-12 03:55
VLAI
Title
Use-After-Free in SOAP using Apache map
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T03:55:18.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "brettgervasoni"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Nora Dossche"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u0026nbsp;without incrementing their reference counts. When an \u003ccode\u003eapache:Map\u003c/code\u003e node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in \u003ccode\u003ethe map\u003c/code\u003e. A subsequent \u003ccode\u003ehref\u003c/code\u003e reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u00a0without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:19:15.288Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5"
}
],
"source": {
"advisory": "GHSA-85c2-q967-79q5",
"discovery": "EXTERNAL"
},
"title": "Use-After-Free in SOAP using Apache map",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6722",
"datePublished": "2026-05-10T04:19:15.288Z",
"dateReserved": "2026-04-20T19:39:59.836Z",
"dateUpdated": "2026-05-12T03:55:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7259 (GCVE-0-2026-7259)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:13 – Updated: 2026-05-11 13:13
VLAI
Title
Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:12:58.875843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:13:50.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "mbstring",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Viet Hoang Luu (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Amirmohammad Pasdar (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Wachiraphan Charoenwet (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Shaanan Cohney (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Toby Murray (The University of Melbourne)"
},
{
"lang": "en",
"type": "reporter",
"value": "Van-Thuan Pham (The University of Melbourne)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u0026nbsp;\u0026nbsp;a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u0026nbsp;\u003ccode\u003emb_regex_encoding()\u003c/code\u003e."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u00a0\u00a0a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u00a0mb_regex_encoding()."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:13:26.766Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75"
}
],
"source": {
"advisory": "GHSA-wm6j-2649-pv75",
"discovery": "EXTERNAL"
},
"title": "Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7259",
"datePublished": "2026-05-10T04:13:26.766Z",
"dateReserved": "2026-04-28T05:07:03.118Z",
"dateUpdated": "2026-05-11T13:13:50.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7261 (GCVE-0-2026-7261)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:07 – Updated: 2026-05-11 13:14
VLAI
Title
SoapServer session-persisted object use-after-free via SOAP header fault
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use after free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:14:14.879341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:14:26.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ilia Alshanetsky"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when \u003ccode\u003eSoapServer\u003c/code\u003e is configured with \u003ccode\u003eSOAP_PERSISTENCE_SESSION\u003c/code\u003e, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:07:25.484Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q"
}
],
"source": {
"advisory": "GHSA-m33r-qmcv-p97q",
"discovery": "EXTERNAL"
},
"title": "SoapServer session-persisted object use-after-free via SOAP header fault",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7261",
"datePublished": "2026-05-10T04:07:25.484Z",
"dateReserved": "2026-04-28T05:08:46.198Z",
"dateUpdated": "2026-05-11T13:14:26.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7262 (GCVE-0-2026-7262)
Vulnerability from cvelistv5 – Published: 2026-05-10 04:00 – Updated: 2026-05-11 13:14
VLAI
Title
NULL pointer dereference in SOAP apache:Map decoder with missing <value>
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL pointer dereference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:14:44.873228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:14:53.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "soap",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ilia Alshanetsky"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ilija Tovilo"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u0026nbsp; This leads to\u0026nbsp;dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u00a0 This leads to\u00a0dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.9,
"baseSeverity": "LOW",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL pointer dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:00:09.382Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv"
}
],
"source": {
"advisory": "GHSA-hmxp-6pc4-f3vv",
"discovery": "INTERNAL"
},
"title": "NULL pointer dereference in SOAP apache:Map decoder with missing \u003cvalue\u003e",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7262",
"datePublished": "2026-05-10T04:00:09.382Z",
"dateReserved": "2026-04-28T05:09:37.127Z",
"dateUpdated": "2026-05-11T13:14:53.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14179 (GCVE-0-2025-14179)
Vulnerability from cvelistv5 – Published: 2026-05-10 03:51 – Updated: 2026-05-11 15:23
VLAI
Title
SQL injection in pdo_firebird via NUL bytes in quoted strings
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/php/php-src/security/advisorie… | vendor-advisory |
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:23:23.501909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:23:35.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "pdo_firebird",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
},
{
"lang": "en",
"type": "finder",
"value": "Nikita Sveshnikov (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ilija Tovilo"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Arnaud Le Blanc"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Saki Takamachi"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via \u003ccode\u003estrncat()\u003c/code\u003e, which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via \u003ccode\u003ePDO::quote()\u003c/code\u003e and embedded in SQL\u0026nbsp;statements."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL\u00a0statements."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T03:51:14.596Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm"
}
],
"source": {
"advisory": "GHSA-w476-322c-wpvm",
"discovery": "EXTERNAL"
},
"title": "SQL injection in pdo_firebird via NUL bytes in quoted strings",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2025-14179",
"datePublished": "2026-05-10T03:51:14.596Z",
"dateReserved": "2025-12-06T06:34:43.979Z",
"dateUpdated": "2026-05-11T15:23:35.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7568 (GCVE-0-2026-7568)
Vulnerability from cvelistv5 – Published: 2026-05-10 03:42 – Updated: 2026-05-11 13:25
VLAI
Title
Signed integer overflow in metaphone()
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7568",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:25:08.120406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:25:17.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tim D\u00fcsterhus"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the \u003ccode\u003emetaphone()\u003c/code\u003e function in ext/standard/metaphone.c uses a \u003ccode\u003esigned int\u003c/code\u003e variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
}
],
"impacts": [
{
"capecId": "CAPEC-92",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-92 Forced Integer Overflow"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T04:44:29.452Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57"
}
],
"source": {
"advisory": "GHSA-96wq-48vp-hh57",
"discovery": "EXTERNAL"
},
"title": "Signed integer overflow in metaphone()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-7568",
"datePublished": "2026-05-10T03:42:36.433Z",
"dateReserved": "2026-04-30T21:08:49.047Z",
"dateUpdated": "2026-05-11T13:25:17.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6735 (GCVE-0-2026-6735)
Vulnerability from cvelistv5 – Published: 2026-05-10 03:27 – Updated: 2026-05-11 13:25
VLAI
Title
XSS within PHP-FPM status endpoint
Summary
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
Date Public
2026-05-07 12:56
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T13:25:43.011891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T13:25:54.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.2.31",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.31",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.21",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "conradfd@proton.me"
}
],
"datePublic": "2026-05-07T12:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u0026nbsp;\u003cspan\u003eallows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePHP-FPM status page.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u00a0PHP-FPM status page."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T03:27:00.607Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
}
],
"source": {
"advisory": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f",
"discovery": "EXTERNAL"
},
"title": "XSS within PHP-FPM status endpoint",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2026-6735",
"datePublished": "2026-05-10T03:27:00.607Z",
"dateReserved": "2026-04-21T00:39:47.273Z",
"dateUpdated": "2026-05-11T13:25:54.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24895 (GCVE-0-2026-24895)
Vulnerability from cvelistv5 – Published: 2026-02-12 19:16 – Updated: 2026-02-12 20:04
VLAI
Title
FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files
Summary
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/commit/04fdc0c1… | x_refsource_MISC |
| https://github.com/php/frankenphp/releases/tag/v1.11.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
< 1.11.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:03:49.803836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:04:07.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:16:06.618Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"
},
{
"name": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
}
],
"source": {
"advisory": "GHSA-g966-83w7-6w38",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24895",
"datePublished": "2026-02-12T19:16:06.618Z",
"dateReserved": "2026-01-27T19:35:20.529Z",
"dateUpdated": "2026-02-12T20:04:07.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24894 (GCVE-0-2026-24894)
Vulnerability from cvelistv5 – Published: 2026-02-12 19:12 – Updated: 2026-02-12 20:04
VLAI
Title
FrankenPHP leaks session data between requests in worker mode
Summary
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/php/frankenphp/security/adviso… | x_refsource_CONFIRM |
| https://github.com/php/frankenphp/commit/24d6c991… | x_refsource_MISC |
| https://github.com/php/frankenphp/releases/tag/v1.11.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| php | frankenphp |
Affected:
< 1.11.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:04:24.224705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:04:57.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frankenphp",
"vendor": "php",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:12:04.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"
},
{
"name": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"
},
{
"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
}
],
"source": {
"advisory": "GHSA-r3xh-3r3w-47gp",
"discovery": "UNKNOWN"
},
"title": "FrankenPHP leaks session data between requests in worker mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24894",
"datePublished": "2026-02-12T19:12:04.387Z",
"dateReserved": "2026-01-27T19:35:20.529Z",
"dateUpdated": "2026-02-12T20:04:57.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14177 (GCVE-0-2025-14177)
Vulnerability from cvelistv5 – Published: 2025-12-27 19:33 – Updated: 2025-12-29 16:01
VLAI
Title
Information Leak of Memory in getimagesize
Summary
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
Impacted products
Date Public
2025-12-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14177",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:01:25.714908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:01:36.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "php",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.1.34",
"status": "affected",
"version": "8.1.*",
"versionType": "semver"
},
{
"lessThan": "8.2.30",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.29",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.16",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.1",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nikita Sveshnikov (Positive Technologies)"
}
],
"datePublic": "2025-12-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.\u003c/p\u003e"
}
],
"value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-27T19:33:23.973Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7"
}
],
"source": {
"advisory": "GHSA-3237-qqm7-mfv7",
"discovery": "EXTERNAL"
},
"title": "Information Leak of Memory in getimagesize",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2025-14177",
"datePublished": "2025-12-27T19:33:23.973Z",
"dateReserved": "2025-12-06T06:23:06.907Z",
"dateUpdated": "2025-12-29T16:01:36.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14178 (GCVE-0-2025-14178)
Vulnerability from cvelistv5 – Published: 2025-12-27 19:27 – Updated: 2026-01-24 11:04
VLAI
Title
Heap buffer overflow in array_merge()
Summary
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Date Public
2025-12-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14178",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:00:50.197017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:01:02.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-24T11:04:01.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "php",
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.1.34",
"status": "affected",
"version": "8.1.*",
"versionType": "semver"
},
{
"lessThan": "8.2.30",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.29",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
},
{
"lessThan": "8.4.16",
"status": "affected",
"version": "8.4.*",
"versionType": "semver"
},
{
"lessThan": "8.5.1",
"status": "affected",
"version": "8.5.*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Niels Dossche"
}
],
"datePublic": "2025-12-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.\u003c/p\u003e"
}
],
"value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-27T19:27:41.691Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2"
}
],
"source": {
"advisory": "GHSA-h96m-rvf9-jgm2",
"discovery": "INTERNAL"
},
"title": "Heap buffer overflow in array_merge()",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2025-14178",
"datePublished": "2025-12-27T19:27:41.691Z",
"dateReserved": "2025-12-06T06:25:31.535Z",
"dateUpdated": "2026-01-24T11:04:01.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2026-AVI-0553
Vulnerability from certfr_avis - Published: 2026-05-11 - Updated: 2026-05-11
De multiples vulnérabilités ont été découvertes dans PHP. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une injection SQL (SQLi) et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "PHP versions 8.2.x ant\u00e9rieures \u00e0 8.2.31",
"product": {
"name": "PHP",
"vendor": {
"name": "PHP",
"scada": false
}
}
},
{
"description": "PHP versions 8.4.x ant\u00e9rieures \u00e0 8.4.21",
"product": {
"name": "PHP",
"vendor": {
"name": "PHP",
"scada": false
}
}
},
{
"description": "PHP versions 8.5.x ant\u00e9rieures \u00e0 8.5.6",
"product": {
"name": "PHP",
"vendor": {
"name": "PHP",
"scada": false
}
}
},
{
"description": "PHP versions 8.3.x ant\u00e9rieures \u00e0 8.3.31",
"product": {
"name": "PHP",
"vendor": {
"name": "PHP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-7261",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7261"
},
{
"name": "CVE-2026-6104",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6104"
},
{
"name": "CVE-2026-6735",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6735"
},
{
"name": "CVE-2025-14179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14179"
},
{
"name": "CVE-2026-7568",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7568"
},
{
"name": "CVE-2026-6722",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6722"
},
{
"name": "CVE-2026-7258",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7258"
},
{
"name": "CVE-2026-42371",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42371"
},
{
"name": "CVE-2026-7259",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7259"
},
{
"name": "CVE-2026-7262",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7262"
},
{
"name": "CVE-2026-7263",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7263"
}
],
"initial_release_date": "2026-05-11T00:00:00",
"last_revision_date": "2026-05-11T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0553",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans PHP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une injection SQL (SQLi) et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans PHP",
"vendor_advisories": [
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 PHP 8.4.21",
"url": "https://www.php.net/ChangeLog-8.php#8.4.21"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 PHP 8.5.6",
"url": "https://www.php.net/ChangeLog-8.php#8.5.6"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 PHP 8.3.31",
"url": "https://www.php.net/ChangeLog-8.php#8.3.31"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 PHP 8.2.31",
"url": "https://www.php.net/ChangeLog-8.php#8.2.31"
}
]
}