Critical severityNVD Advisory· Published Jul 23, 2025· Updated Apr 15, 2026
CVE-2015-10141
CVE-2015-10141
Description
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- web.archive.org/web/20231226215418/https://paper.seebug.org/397/nvd
- kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/nvd
- www.exploit-db.com/exploits/44568nvd
- www.fortiguard.com/encyclopedia/ips/46000nvd
- www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-executionnvd
- xdebug.orgnvd
News mentions
0No linked articles in our index yet.