CVE-2026-14355
- EPSS 0.31%
- Veröffentlicht 03.07.2026 20:57:31
- Zuletzt bearbeitet 08.07.2026 20:11:16
In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding o...
CVE-2026-7263
- EPSS 0.35%
- Veröffentlicht 10.05.2026 04:43:04
- Zuletzt bearbeitet 30.06.2026 03:21:19
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the X...
CVE-2026-6104
- EPSS 0.47%
- Veröffentlicht 10.05.2026 04:35:17
- Zuletzt bearbeitet 30.06.2026 03:21:11
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it mean...
CVE-2026-7258
- EPSS 0.34%
- Veröffentlicht 10.05.2026 04:28:14
- Zuletzt bearbeitet 12.05.2026 17:41:43
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized...
CVE-2026-6722
- EPSS 0.74%
- Veröffentlicht 10.05.2026 04:19:15
- Zuletzt bearbeitet 02.07.2026 12:17:44
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. Whe...
CVE-2026-7259
- EPSS 0.2%
- Veröffentlicht 10.05.2026 04:13:26
- Zuletzt bearbeitet 12.05.2026 17:40:38
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of servi...
CVE-2026-7261
- EPSS 0.3%
- Veröffentlicht 10.05.2026 04:07:25
- Zuletzt bearbeitet 12.05.2026 17:40:03
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the c...
CVE-2026-7262
- EPSS 0.78%
- Veröffentlicht 10.05.2026 04:00:09
- Zuletzt bearbeitet 02.07.2026 12:17:45
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value eleme...
CVE-2025-14179
- EPSS 0.3%
- Veröffentlicht 10.05.2026 03:51:14
- Zuletzt bearbeitet 30.06.2026 03:16:43
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containin...
CVE-2026-7568
- EPSS 0.46%
- Veröffentlicht 10.05.2026 03:42:36
- Zuletzt bearbeitet 02.07.2026 12:17:45
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string ...