Unrated severityNVD Advisory· Published Feb 4, 2007· Updated Jun 16, 2026
CVE-2006-6966
CVE-2006-6966
Description
phpGraphy before 0.9.13a does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by uploading a config.php file via the pictures[] parameter to index.php. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpGraphy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
17cpe:2.3:a:phpgraphy:phpgraphy:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:phpgraphy:phpgraphy:*:*:*:*:*:*:*:*range: <=0.9.13
- cpe:2.3:a:phpgraphy:phpgraphy:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.10a:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpgraphy:phpgraphy:0.9.9a:*:*:*:*:*:*:*
- (no CPE)range: <0.9.13a
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.