Unrated severityNVD Advisory· Published Jun 30, 2001· Updated Apr 16, 2026

CVE-2001-1246

Description

PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.

Affected products

PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: >=4.0.5,<=4.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.iss.net/security_center/static/6787.phpnvdBroken LinkPatchVendor Advisory
online.securityfocus.com/archive/1/194425nvdBroken LinkThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/2954nvdBroken LinkThird Party AdvisoryVDB Entry
www.php.net/do_download.phpnvdBroken Link
www.redhat.com/support/errata/RHSA-2002-102.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2002-129.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2003-159.htmlnvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000