VYPR
Unrated severityNVD Advisory· Published Feb 4, 2007· Updated Jun 16, 2026

CVE-2006-6966

CVE-2006-6966

Description

phpGraphy before 0.9.13a does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by uploading a config.php file via the pictures[] parameter to index.php. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpGraphy.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

17
  • Phpgraphy/Phpgraphy17 versions
    cpe:2.3:a:phpgraphy:phpgraphy:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:phpgraphy:phpgraphy:*:*:*:*:*:*:*:*range: <=0.9.13
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.10a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpgraphy:phpgraphy:0.9.9a:*:*:*:*:*:*:*
    • (no CPE)range: <0.9.13a

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.