Filtered by vendor Php
Subscriptions
Total
766 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2757 | 1 Php | 1 Php | 2025-06-18 | 7.5 High |
| In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function. | ||||
| CVE-2024-3096 | 3 Debian, Php, Redhat | 3 Debian Linux, Php, Enterprise Linux | 2025-06-18 | 6.5 Medium |
| In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | ||||
| CVE-2025-1219 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-05-23 | 5.3 Medium |
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations. | ||||
| CVE-2025-1217 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-05-23 | 3.1 Low |
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. | ||||
| CVE-2022-31628 | 4 Debian, Fedoraproject, Php and 1 more | 4 Debian Linux, Fedora, Php and 1 more | 2025-05-20 | 2.3 Low |
| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop. | ||||
| CVE-2022-37454 | 9 Debian, Extended Keccak Code Package Project, Fedoraproject and 6 more | 9 Debian Linux, Extended Keccak Code Package, Fedora and 6 more | 2025-05-08 | 9.8 Critical |
| The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. | ||||
| CVE-2024-48581 | 2 Mayurik, Php | 2 Best Courier Management System, Best Courier Management System | 2025-05-06 | 9.8 Critical |
| File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | ||||
| CVE-2023-41503 | 2 Code-projects, Php | 2 Student Enrollment, Student Enrollment | 2025-05-05 | 9.8 Critical |
| Student Enrollment In PHP v1.0 was discovered to contain a SQL injection vulnerability via the Login function. | ||||
| CVE-2024-48580 | 2 Mayurik, Php | 2 Best Courier Management System, Best Courier Management System | 2025-05-02 | 9.8 Critical |
| SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request. | ||||
| CVE-2024-11235 | 2 Php, Redhat | 2 Php, Enterprise Linux | 2025-04-30 | 8.1 High |
| In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. | ||||
| CVE-2024-48579 | 2 Mayurik, Php | 2 Best House Rental Management System, Best House Rental Management System | 2025-04-28 | 9.8 Critical |
| SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. | ||||
| CVE-2017-12932 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2025-04-20 | N/A |
| ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP. | ||||
| CVE-2017-7272 | 1 Php | 1 Php | 2025-04-20 | N/A |
| PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. | ||||
| CVE-2017-9227 | 3 Oniguruma Project, Php, Redhat | 3 Oniguruma, Php, Rhel Software Collections | 2025-04-20 | 9.8 Critical |
| An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. | ||||
| CVE-2017-9067 | 2 Modx, Php | 2 Modx Revolution, Php | 2025-04-20 | N/A |
| In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal. | ||||
| CVE-2017-11142 | 1 Php | 1 Php | 2025-04-20 | N/A |
| In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c. | ||||
| CVE-2016-10159 | 3 Debian, Php, Redhat | 3 Debian Linux, Php, Rhel Software Collections | 2025-04-20 | 7.5 High |
| Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. | ||||
| CVE-2016-4473 | 3 Php, Redhat, Suse | 4 Php, Rhel Software Collections, Linux Enterprise Module For Web Scripting and 1 more | 2025-04-20 | N/A |
| /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. | ||||
| CVE-2017-12933 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2025-04-20 | N/A |
| The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP. | ||||
| CVE-2016-10158 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2025-04-20 | N/A |
| The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. | ||||