Unrated severityNVD Advisory· Published Oct 8, 2024· Updated Nov 3, 2025
PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)
CVE-2024-8926
Description
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11- osv-coords9 versionspkg:bitnami/libphppkg:bitnami/phppkg:bitnami/php-minpkg:deb/ubuntu/php5?arch=src?distro=trusty/esmpkg:deb/ubuntu/php7.0?arch=src?distro=esm-infra/xenialpkg:deb/ubuntu/php7.2?arch=src?distro=esm-infra/bionicpkg:deb/ubuntu/php7.4?arch=src?distro=focalpkg:deb/ubuntu/php8.1?arch=src?distro=jammypkg:deb/ubuntu/php8.3?arch=src?distro=noble
< 8.1.30+ 8 more
- (no CPE)range: < 8.1.30
- (no CPE)range: < 8.1.30
- (no CPE)range: < 8.1.30
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.