VYPR

PHP

by PHP

Source repositories

CVEs (730)

  • CVE-2017-11628HigJul 25, 2017
    risk 0.51cvss 7.8epss 0.03

    In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that…

  • CVE-2016-6289HigJul 25, 2016
    risk 0.51cvss 7.8epss 0.04

    Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted…

  • CVE-2023-0567HigMar 1, 2023
    risk 0.50cvss 7.7epss 0.01

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as…

  • CVE-2022-31627HigJul 28, 2022
    risk 0.50cvss 7.7epss 0.02

    In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

  • CVE-2018-10546HigApr 29, 2018
    risk 0.50cvss 7.5epss 0.11

    An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

  • CVE-2016-7418HigSep 17, 2016
    risk 0.50cvss 7.5epss 0.11

    The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a…

  • CVE-2026-7263HigMay 10, 2026
    risk 0.49cvss 7.5epss 0.00

    In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter…

  • CVE-2023-0662HigFeb 16, 2023
    risk 0.49cvss 7.5epss 0.01

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or…

  • CVE-2023-0568HigFeb 16, 2023
    risk 0.49cvss 7.5epss 0.01

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten…

  • CVE-2020-7062HigFeb 27, 2020
    risk 0.49cvss 7.5epss 0.04

    In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to…

  • CVE-2019-9640HigMar 9, 2019
    risk 0.49cvss 7.5epss 0.06

    An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.

  • CVE-2019-9639HigMar 9, 2019
    risk 0.49cvss 7.5epss 0.08

    An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.

  • CVE-2019-9638HigMar 9, 2019
    risk 0.49cvss 7.5epss 0.07

    An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.

  • CVE-2019-9637HigMar 9, 2019
    risk 0.49cvss 7.5epss 0.07

    An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling…

  • CVE-2019-9024HigFeb 22, 2019
    risk 0.49cvss 7.5epss 0.07

    An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.

  • CVE-2019-9022HigFeb 22, 2019
    risk 0.49cvss 7.5epss 0.04

    An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data.…

  • CVE-2018-20783HigFeb 21, 2019
    risk 0.49cvss 7.5epss 0.06

    In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to…

  • CVE-2018-19935HigDec 7, 2018
    risk 0.49cvss 7.5epss 0.07

    ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.

  • CVE-2018-19396HigNov 20, 2018
    risk 0.49cvss 7.5epss 0.05

    ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.

  • CVE-2018-19395HigNov 20, 2018
    risk 0.49cvss 7.5epss 0.04

    ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a…

Page 8 of 37