VYPR

apk package

wolfi/php-8.2

pkg:apk/wolfi/php-8.2

Vulnerabilities (24)

  • CVE-2026-7568HigMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 byte

  • CVE-2026-7262HigMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereference

  • CVE-2026-7261CriMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in a

  • CVE-2026-7259MedMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is explo

  • CVE-2026-7258HigMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions

  • CVE-2026-6735MedMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when

  • CVE-2026-6722CriMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains

  • CVE-2025-14179CriMay 10, 2026
    affected < 8.2.31-r0fixed 8.2.31-r0

    In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via str

  • CVE-2024-11233Nov 24, 2024
    affected < 8.2.26-r0fixed 8.2.26-r0

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory ar

  • CVE-2024-11234Nov 24, 2024
    affected < 8.2.26-r0fixed 8.2.26-r0

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbi

  • CVE-2024-11236Nov 24, 2024
    affected < 8.2.26-r0fixed 8.2.26-r0

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

  • CVE-2024-8932Nov 22, 2024
    affected < 8.2.26-r0fixed 8.2.26-r0

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

  • CVE-2024-2408Jun 9, 2024
    affected < 8.2.20-r0fixed 8.2.20-r0

    The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/

  • CVE-2024-4577KEVJun 9, 2024
    affected < 8.2.20-r0fixed 8.2.20-r0

    In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP C

  • CVE-2024-5585Jun 9, 2024
    affected < 8.2.20-r0fixed 8.2.20-r0

    In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of

  • CVE-2024-5458Jun 9, 2024
    affected < 8.2.20-r0fixed 8.2.20-r0

    In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + pa

  • CVE-2022-4900Nov 2, 2023
    affected < 0fixed 0

    A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

  • CVE-2022-4455Dec 13, 2022
    affected < 0fixed 0

    A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched remotely. The name of the patch is a29411

  • CVE-2015-3211MedAug 25, 2017
    affected < 0fixed 0

    php-fpm allows local users to write to or create arbitrary files via a symlink attack.

  • CVE-2017-6485MedMar 5, 2017
    affected < 0fixed 0

    A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script cod

Page 1 of 2