cbcvebase.

Php Group PHP vulnerabilities

87 known vulnerabilities affecting php_group/php.

Total CVEs
87
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
2
Severity breakdown
CRITICAL23HIGH29MEDIUM32LOW3

Vulnerabilities

Page 4 of 5
CVE-2021-21706P4MEDIUMCVSS 6.5≥ 7.3.x, < 7.3.31≥ 7.4.x, < 7.4.24+1 more2021-10-04
CVE-2021-21706 [MEDIUM] CWE-24 CVE-2021-21706: In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.
nvd
CVE-2019-11038P4MEDIUMCVSS 5.3v7.1.x < 7.1.30v7.2.x < 7.2.19+1 more2019-06-19
CVE-2019-11038 [MEDIUM] CWE-457 CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the s
nvd
CVE-2021-21705P4MEDIUMCVSS 5.3≥ 7.3.x, < 7.3.29≥ 7.4.x, < 7.4.21+1 more2021-10-04
CVE-2021-21705 [MEDIUM] CWE-20 CVE-2021-21705: In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validat In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications -
nvd
CVE-2019-11046P4MEDIUMCVSS 5.3≥ 7.2.x, < 7.2.26≥ 7.3.x, < 7.3.13+1 more2019-12-23
CVE-2019-11046 [MEDIUM] CWE-125 CVE-2019-11046: In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of s
nvd
CVE-2021-21704P4MEDIUMCVSS 5.9≥ 7.3.x, < 7.3.29≥ 7.4.x, < 7.4.21+1 more2021-10-04
CVE-2021-21704 [MEDIUM] CWE-125 CVE-2021-21704: In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PD In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in
nvd
CVE-2020-7071P4MEDIUMCVSS 5.3≥ 7.3.x, < 7.3.26≥ 7.4.x, < 7.4.14+1 more2021-02-15
CVE-2020-7071 [MEDIUM] CWE-20 CVE-2020-7071: In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
nvd
CVE-2022-31630P4HIGHCVSS 7.1≥ 7.4.x, < 7.4.33≥ 8.0.x, < 8.0.25+1 more2022-11-14
CVE-2022-31630 [HIGH] CWE-131 CVE-2022-31630: In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extens In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
nvd
CVE-2024-8929P4MEDIUMCVSS 5.8≥ 8.1.*, < 8.1.31≥ 8.2.*, < 8.2.24+1 more2024-11-22
CVE-2024-8929 [MEDIUM] CWE-125 CVE-2024-8929: In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL serve In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
nvd
CVE-2026-7259P4MEDIUMCVSS 6.5≥ 8.2.*, < 8.2.31≥ 8.3.*, < 8.3.31+2 more2026-05-10
CVE-2026-7259 [MEDIUM] CWE-476 CVE-2026-7259: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_
nvd
CVE-2025-6491P4MEDIUMCVSS 5.9≥ 8.1.*, < 8.1.33≥ 8.2.*, < 8.2.29+2 more2025-07-13
CVE-2025-6491 [MEDIUM] CWE-476 CVE-2025-6491: In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 w In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
nvd
CVE-2025-1220P4MEDIUMCVSS 5.3≥ 8.1.*, < 8.1.33≥ 8.2.*, < 8.2.29+2 more2025-07-13
CVE-2025-1220 [MEDIUM] CWE-918 CVE-2025-1220: In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 s In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code imp
nvd
CVE-2026-6735P4MEDIUMCVSS 6.1≥ 8.2.*, < 8.2.31≥ 8.3.*, < 8.3.31+2 more2026-05-10
CVE-2026-6735 [MEDIUM] CWE-79 CVE-2026-6735: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, d In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
nvd
CVE-2020-7063P4MEDIUMCVSS 5.3≥ 7.3.x, < 7.3.15≥ 7.4.x, < 7.4.3+1 more2020-02-27
CVE-2020-7063 [MEDIUM] CWE-281 CVE-2020-7063: In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR arc In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissio
nvd
CVE-2020-7064P4MEDIUMCVSS 5.4≥ 7.3.x, < 7.3.16≥ 7.4.x, < 7.4.4+1 more2020-04-01
CVE-2020-7064 [MEDIUM] CWE-125 CVE-2020-7064: In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
nvd
CVE-2006-3018P4HIGHCVSS 7.5≤ 5.1.22006-06-14
CVE-2006-3018 [HIGH] CVE-2006-3018: Unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unknown imp Unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unknown impact and attack vectors related to heap corruption.
nvd
CVE-2024-8925P4MEDIUMCVSS 5.3≥ 8.1.*, < 8.1.30≥ 8.2.*, < 8.2.24+1 more2024-10-08
CVE-2024-8925 [MEDIUM] CWE-444 CVE-2024-8925: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to
nvd
CVE-2006-3016P4CRITICALCVSS 9.3≤ 5.1.22006-06-14
CVE-2006-3016 [CRITICAL] CVE-2006-3016: Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, re Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerabilit
nvd
CVE-2023-0567P4MEDIUMCVSS 6.2≥ 8.0.x, < 8.0.28≥ 8.1.x, < 8.1.16+1 more2023-03-01
CVE-2023-0567 [MEDIUM] CWE-916 CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function m In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
nvd
CVE-2025-1219P4MEDIUMCVSS 5.3≥ 8.1.*, < 8.1.32≥ 8.2.*, < 8.2.28+2 more2025-03-30
CVE-2025-1219 [MEDIUM] CWE-1116 CVE-2025-1219: In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* befo In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrec
nvd
CVE-2025-1734P4MEDIUMCVSS 5.3≥ 8.1.*, < 8.1.32≥ 8.2.*, < 8.2.28+2 more2025-03-30
CVE-2025-1734 [MEDIUM] CWE-20 CVE-2025-1734: In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* befo In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
nvd
Php Group PHP vulnerabilities | cvebase