Packagist (Composer) package
james-heinrich/phpthumb
pkg:composer/james-heinrich/phpthumb
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52994 | Med | 4.9 | <= 1.7.23 | — | Jul 11, 2025 | gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709. | |
| CVE-2013-6919 | — | < 1.7.12 | 1.7.12 | Dec 27, 2014 | The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter. |
- affected <= 1.7.23
gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.
- CVE-2013-6919Dec 27, 2014affected < 1.7.12fixed 1.7.12
The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter.