Php

Php

711 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.2

CVE-2024-11233

Exploit
  • EPSS 0.63%
  • Published 24.11.2024 02:15:16
  • Last modified 26.11.2024 18:26:37

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or discl...

9.8

CVE-2024-11236

Exploit
  • EPSS 1.14%
  • Published 24.11.2024 01:15:04
  • Last modified 26.11.2024 18:29:05

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

7.2

CVE-2024-11234

Exploit
  • EPSS 0.07%
  • Published 24.11.2024 01:15:03
  • Last modified 26.11.2024 19:06:10

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to...

5.8

CVE-2024-8929

Media report Exploit
  • EPSS 0.11%
  • Published 22.11.2024 07:15:03
  • Last modified 02.07.2025 20:11:20

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different user...

9.8

CVE-2024-8932

  • EPSS 0.64%
  • Published 22.11.2024 06:15:20
  • Last modified 02.07.2025 20:08:35

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

3.3

CVE-2024-9026

Media report Exploit
  • EPSS 0.05%
  • Published 08.10.2024 04:15:11
  • Last modified 19.08.2025 16:26:19

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 char...

8.8

CVE-2024-8926

Exploit
  • EPSS 4.44%
  • Published 08.10.2024 04:15:10
  • Last modified 19.08.2025 16:26:02

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypasse...

7.5

CVE-2024-8927

Exploit
  • EPSS 0.12%
  • Published 08.10.2024 04:15:10
  • Last modified 19.08.2025 16:26:31

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can b...

5.3

CVE-2024-8925

Media report Exploit
  • EPSS 0.17%
  • Published 08.10.2024 04:15:09
  • Last modified 19.08.2025 16:25:49

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to...

5.9

CVE-2024-2408

Exploit
  • EPSS 0.19%
  • Published 09.06.2024 20:15:09
  • Last modified 21.03.2025 18:15:32

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https...