Php

Php

711 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2024-4577

Warning Media report Exploit
  • EPSS 94.37%
  • Published 09.06.2024 20:15:09
  • Last modified 28.03.2025 15:12:44

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given...

5.3

CVE-2024-5458

Exploit
  • EPSS 2.4%
  • Published 09.06.2024 19:15:52
  • Last modified 14.03.2025 15:15:44

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid u...

8.8

CVE-2024-5585

Exploit
  • EPSS 0.9%
  • Published 09.06.2024 19:15:52
  • Last modified 21.11.2024 09:47:58

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient ...

7.5

CVE-2024-2757

Exploit
  • EPSS 0.63%
  • Published 29.04.2024 04:15:08
  • Last modified 18.06.2025 21:11:40

In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application ...

6.5

CVE-2024-3096

Exploit
  • EPSS 0.59%
  • Published 29.04.2024 04:15:08
  • Last modified 18.06.2025 21:10:50

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

9.4

CVE-2024-1874

Exploit
  • EPSS 57.55%
  • Published 29.04.2024 04:15:07
  • Last modified 18.06.2025 21:12:24

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can su...

6.5

CVE-2024-2756

  • EPSS 7.14%
  • Published 29.04.2024 04:15:07
  • Last modified 13.02.2025 18:17:57

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applic...

9.8

CVE-2024-3566

Exploit
  • EPSS 5.83%
  • Published 10.04.2024 16:15:16
  • Last modified 25.06.2025 20:24:12

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

5.5

CVE-2022-4900

  • EPSS 0.08%
  • Published 02.11.2023 16:15:08
  • Last modified 20.03.2025 17:01:07

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

9.8

CVE-2023-3824

Exploit
  • EPSS 32.37%
  • Published 11.08.2023 06:15:10
  • Last modified 13.02.2025 17:16:59

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption...