Filtered by vendor Php
Subscriptions
Total
766 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2757 | 1 Php | 1 Php | 2025-06-18 | 7.5 High |
| In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function. | ||||
| CVE-2024-3096 | 3 Debian, Php, Redhat | 3 Debian Linux, Php, Enterprise Linux | 2025-06-18 | 6.5 Medium |
| In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | ||||
| CVE-2025-1219 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-05-23 | 5.3 Medium |
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations. | ||||
| CVE-2025-1217 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-05-23 | 3.1 Low |
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. | ||||
| CVE-2022-31628 | 4 Debian, Fedoraproject, Php and 1 more | 4 Debian Linux, Fedora, Php and 1 more | 2025-05-20 | 2.3 Low |
| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop. | ||||
| CVE-2022-37454 | 9 Debian, Extended Keccak Code Package Project, Fedoraproject and 6 more | 9 Debian Linux, Extended Keccak Code Package, Fedora and 6 more | 2025-05-08 | 9.8 Critical |
| The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. | ||||
| CVE-2024-48581 | 2 Mayurik, Php | 2 Best Courier Management System, Best Courier Management System | 2025-05-06 | 9.8 Critical |
| File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | ||||
| CVE-2023-41503 | 2 Code-projects, Php | 2 Student Enrollment, Student Enrollment | 2025-05-05 | 9.8 Critical |
| Student Enrollment In PHP v1.0 was discovered to contain a SQL injection vulnerability via the Login function. | ||||
| CVE-2024-48580 | 2 Mayurik, Php | 2 Best Courier Management System, Best Courier Management System | 2025-05-02 | 9.8 Critical |
| SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request. | ||||
| CVE-2024-11235 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-04-30 | 8.1 High |
| In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. | ||||
| CVE-2024-48579 | 2 Mayurik, Php | 2 Best House Rental Management System, Best House Rental Management System | 2025-04-28 | 9.8 Critical |
| SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. | ||||
| CVE-2017-9227 | 3 Oniguruma Project, Php, Redhat | 3 Oniguruma, Php, Rhel Software Collections | 2025-04-20 | 9.8 Critical |
| An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. | ||||
| CVE-2017-12933 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2025-04-20 | N/A |
| The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP. | ||||
| CVE-2017-6441 | 1 Php | 1 Php | 2025-04-20 | N/A |
| The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only. | ||||
| CVE-2017-7890 | 2 Php, Redhat | 3 Php, Enterprise Linux, Rhel Software Collections | 2025-04-20 | N/A |
| The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information. | ||||
| CVE-2017-9119 | 2 Netapp, Php | 3 Clustered Data Ontap, Storage Automation Store, Php | 2025-04-20 | N/A |
| The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures. | ||||
| CVE-2016-5873 | 1 Php | 1 Pecl Http | 2025-04-20 | N/A |
| Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL. | ||||
| CVE-2017-12868 | 2 Php, Simplesamlphp | 2 Php, Simplesamlphp | 2025-04-20 | N/A |
| The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | ||||
| CVE-2017-7272 | 1 Php | 1 Php | 2025-04-20 | N/A |
| PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. | ||||
| CVE-2017-9067 | 2 Modx, Php | 2 Modx Revolution, Php | 2025-04-20 | N/A |
| In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal. | ||||