VYPR

PHP

by PHP

Source repositories

CVEs (730)

  • CVE-2016-6174HigJul 12, 2016
    risk 0.57cvss 8.1epss 0.12

    applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the…

  • CVE-2023-3823HigAug 11, 2023
    risk 0.56cvss 8.6epss 0.01

    In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly…

  • CVE-2016-5096HigAug 7, 2016
    risk 0.56cvss 8.6epss 0.04

    Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.

  • CVE-2016-5095HigAug 7, 2016
    risk 0.56cvss 8.6epss 0.03

    Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from a…

  • CVE-2016-5094HigAug 7, 2016
    risk 0.56cvss 8.6epss 0.05

    Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars…

  • CVE-2016-5093HigAug 7, 2016
    risk 0.56cvss 8.6epss 0.05

    The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly…

  • CVE-2015-8616HigJan 19, 2016
    risk 0.56cvss 8.6epss 0.02

    Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging the relationships…

  • CVE-2021-21708HigFeb 27, 2022
    risk 0.54cvss 8.2epss 0.03

    In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it…

  • CVE-2017-16642HigNov 7, 2017
    risk 0.54cvss 7.5epss 0.26

    In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to…

  • CVE-2016-5399HigApr 21, 2017
    risk 0.54cvss 7.8epss 0.10

    The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.

  • CVE-2016-3142HigMar 31, 2016
    risk 0.54cvss 8.2epss 0.05

    The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06…

  • CVE-2022-31626HigJun 16, 2022
    risk 0.53cvss 7.5epss 0.58

    In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow…

  • CVE-2022-31625HigJun 16, 2022
    risk 0.53cvss 8.1epss 0.03

    In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE…

  • CVE-2019-9675HigMar 11, 2019
    risk 0.53cvss 8.1epss 0.06

    An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently…

  • CVE-2016-7412HigSep 17, 2016
    risk 0.53cvss 8.1epss 0.09

    ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via…

  • CVE-2016-7133HigSep 12, 2016
    risk 0.53cvss 8.1epss 0.04

    Zend/zend_alloc.c in PHP 7.x before 7.0.10, when open_basedir is enabled, mishandles huge realloc operations, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a long pathname.

  • CVE-2007-1285HigMar 6, 2007
    risk 0.53cvss 7.5epss 0.18

    The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.

  • CVE-2026-6104CriMay 10, 2026
    risk 0.52cvss 9.1epss 0.00

    In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same…

  • CVE-2016-7478HigJan 11, 2017
    risk 0.52cvss 7.5epss 0.42

    Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.

  • CVE-2021-21703HigOct 25, 2021
    risk 0.51cvss 7.8epss 0.01

    In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access…

Page 7 of 37