Vulnerability-Lookup

WID-SEC-W-2026-1433

Vulnerability from csaf_certbund - Published: 2026-05-07 22:00 - Updated: 2026-05-27 22:00

Summary

PHP: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird.

Angriff: Ein Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um beliebigen Programmcode auszuführen, SQL-Injection- oder Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2025-14179

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-6104

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-6722

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-6735

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7258

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7259

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7261

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7262

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7263

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

CVE-2026-7568

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PHP <8.4.21 Open Source / PHP		<8.4.21
Open Source PHP <8.3.31 Open Source / PHP		<8.3.31
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source PHP <8.2.31 Open Source / PHP		<8.2.31
Zend ZendPHP <8.5.6 Zend / ZendPHP		<8.5.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source PHP <8.5.6 Open Source / PHP		<8.5.6

References

20 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://php.net/ChangeLog-8.php#8.2.31	external
https://php.net/ChangeLog-8.php#8.5.6	external
https://php.net/ChangeLog-8.php#8.4.21	external
https://php.net/ChangeLog-8.php#8.3.31	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-security-announce…	external
https://msrc.microsoft.com/update-guide/	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://access.redhat.com/errata/RHSA-2026:14125	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2/ALAS2PHP8.2-2026-…	external
https://www.zend.com/release-notes/zendphp/may-20…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3316.html	external
https://lists.suse.com/pipermail/sle-security-upd…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um beliebigen Programmcode auszuf\u00fchren, SQL-Injection- oder Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1433 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1433.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1433 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1433"
      },
      {
        "category": "external",
        "summary": "PHP Release Notes vom 2026-05-07",
        "url": "https://php.net/ChangeLog-8.php#8.2.31"
      },
      {
        "category": "external",
        "summary": "PHP Release Notes vom 2026-05-07",
        "url": "https://php.net/ChangeLog-8.php#8.5.6"
      },
      {
        "category": "external",
        "summary": "PHP Release Notes vom 2026-05-07",
        "url": "https://php.net/ChangeLog-8.php#8.4.21"
      },
      {
        "category": "external",
        "summary": "PHP Release Notes vom 2026-05-07",
        "url": "https://php.net/ChangeLog-8.php#8.3.31"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6256 vom 2026-05-08",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00167.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6255 vom 2026-05-08",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00166.html"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-05-12",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21612-1 vom 2026-05-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026031.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4586 vom 2026-05-16",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00031.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1958-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026135.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1957-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026136.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20745-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AGRXNVTMRBCHCLXDSZW5XXRVEXKGMQD2/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14125 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:14125"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2037-1 vom 2026-05-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026205.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2PHP8.2-2026-011 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2PHP8.2-2026-011.html"
      },
      {
        "category": "external",
        "summary": "ZendPHP May 2026 Releases vom 2026-05-26",
        "url": "https://www.zend.com/release-notes/zendphp/may-2026-releases"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3316 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3316.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2091-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026366.html"
      }
    ],
    "source_lang": "en-US",
    "title": "PHP: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T07:28:32.057+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1433",
      "initial_release_date": "2026-05-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian und European Union Vulnerability Database aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-21T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.2.31",
                "product": {
                  "name": "Open Source PHP \u003c8.2.31",
                  "product_id": "T053710"
                }
              },
              {
                "category": "product_version",
                "name": "8.2.31",
                "product": {
                  "name": "Open Source PHP 8.2.31",
                  "product_id": "T053710-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.2.31"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.5.6",
                "product": {
                  "name": "Open Source PHP \u003c8.5.6",
                  "product_id": "T053711"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.6",
                "product": {
                  "name": "Open Source PHP 8.5.6",
                  "product_id": "T053711-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.5.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.4.21",
                "product": {
                  "name": "Open Source PHP \u003c8.4.21",
                  "product_id": "T053712"
                }
              },
              {
                "category": "product_version",
                "name": "8.4.21",
                "product": {
                  "name": "Open Source PHP 8.4.21",
                  "product_id": "T053712-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.4.21"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.3.31",
                "product": {
                  "name": "Open Source PHP \u003c8.3.31",
                  "product_id": "T053713"
                }
              },
              {
                "category": "product_version",
                "name": "8.3.31",
                "product": {
                  "name": "Open Source PHP 8.3.31",
                  "product_id": "T053713-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:php:php:8.3.31"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PHP"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.5.6",
                "product": {
                  "name": "Zend ZendPHP \u003c8.5.6",
                  "product_id": "T054712"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.6",
                "product": {
                  "name": "Zend ZendPHP 8.5.6",
                  "product_id": "T054712-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:zend:zendphp:8.5.6"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ZendPHP"
          }
        ],
        "category": "vendor",
        "name": "Zend"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-14179",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2025-14179"
    },
    {
      "cve": "CVE-2026-6104",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-6104"
    },
    {
      "cve": "CVE-2026-6722",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-6722"
    },
    {
      "cve": "CVE-2026-6735",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-6735"
    },
    {
      "cve": "CVE-2026-7258",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7258"
    },
    {
      "cve": "CVE-2026-7259",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7259"
    },
    {
      "cve": "CVE-2026-7261",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7261"
    },
    {
      "cve": "CVE-2026-7262",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7262"
    },
    {
      "cve": "CVE-2026-7263",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7263"
    },
    {
      "cve": "CVE-2026-7568",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T027843",
          "T053712",
          "T053713",
          "398363",
          "T053710",
          "T054712",
          "T049210",
          "T053711"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-7568"
    }
  ]
}

CVE-2025-14179 (GCVE-0-2025-14179)

Vulnerability from cvelistv5 – Published: 2026-05-10 03:51 – Updated: 2026-05-11 15:23

Title

SQL injection in pdo_firebird via NUL bytes in quoted strings

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Severity

7.4 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Aleksey Solovev (Positive Technologies) Nikita Sveshnikov (Positive Technologies) Ilija Tovilo Arnaud Le Blanc Saki Takamachi

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14179",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T15:23:23.501909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T15:23:35.010Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "pdo_firebird",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aleksey Solovev (Positive Technologies)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Nikita Sveshnikov (Positive Technologies)"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ilija Tovilo"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Arnaud Le Blanc"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Saki Takamachi"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via \u003ccode\u003estrncat()\u003c/code\u003e, which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via \u003ccode\u003ePDO::quote()\u003c/code\u003e and embedded in SQL\u0026nbsp;statements."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL\u00a0statements."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T03:51:14.596Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm"
        }
      ],
      "source": {
        "advisory": "GHSA-w476-322c-wpvm",
        "discovery": "EXTERNAL"
      },
      "title": "SQL injection in pdo_firebird via NUL bytes in quoted strings",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2025-14179",
    "datePublished": "2026-05-10T03:51:14.596Z",
    "dateReserved": "2025-12-06T06:34:43.979Z",
    "dateUpdated": "2026-05-11T15:23:35.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6104 (GCVE-0-2026-6104)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:35 – Updated: 2026-05-11 13:04

Title

Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding

Summary

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber

CWE

CWE-125 - Out-of-bounds Read

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Akshay Jain Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6104",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:04:44.572023Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:04:58.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "mbstring",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Akshay Jain"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to \u003ccode\u003emb_convert_encoding()\u003c/code\u003e or related mbstring functions, the code incorrectly assumes that when\u0026nbsp;\u003ccode\u003estrncasecmp()\u003c/code\u003e\u0026nbsp;returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u003cspan\u003e\u0026nbsp;Affected functions include \u003c/span\u003e\u003ccode\u003emb_convert_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_detect_encoding()\u003c/code\u003e\u003cspan\u003e, \u003c/span\u003e\u003ccode\u003emb_convert_variables()\u003c/code\u003e\u003cspan\u003e, and \u003c/span\u003e\u003ccode\u003emb_detect_order()\u003c/code\u003e\u003cspan\u003e, as well as the \u003c/span\u003e\u003ccode\u003embstring.detect_order\u003c/code\u003e\u003cspan\u003e and \u003c/span\u003e\u003ccode\u003embstring.http_output\u003c/code\u003e\u003cspan\u003e INI settings.\u003c/span\u003e"
            }
          ],
          "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when\u00a0strncasecmp()\u00a0returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash.\u00a0Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:35:17.328Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53"
        }
      ],
      "source": {
        "advisory": "GHSA-74r9-qxhc-fx53",
        "discovery": "EXTERNAL"
      },
      "title": "Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-6104",
    "datePublished": "2026-05-10T04:35:17.328Z",
    "dateReserved": "2026-04-11T04:15:03.938Z",
    "dateUpdated": "2026-05-11T13:04:58.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6722 (GCVE-0-2026-6722)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:19 – Updated: 2026-05-12 03:55

Title

Use-After-Free in SOAP using Apache map

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

Severity

9.5 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red

CWE

CWE-416 - Use After Free

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

brettgervasoni Ilija Tovilo Nora Dossche

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T03:55:18.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "soap",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "brettgervasoni"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Nora Dossche"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u0026nbsp;without incrementing their reference counts. When an \u003ccode\u003eapache:Map\u003c/code\u003e node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in \u003ccode\u003ethe map\u003c/code\u003e. A subsequent \u003ccode\u003ehref\u003c/code\u003e reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension\u0027s object deduplication mechanism stores pointers to PHP objects in a global map\u00a0without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:M/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:19:15.288Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5"
        }
      ],
      "source": {
        "advisory": "GHSA-85c2-q967-79q5",
        "discovery": "EXTERNAL"
      },
      "title": "Use-After-Free in SOAP using Apache map",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-6722",
    "datePublished": "2026-05-10T04:19:15.288Z",
    "dateReserved": "2026-04-20T19:39:59.836Z",
    "dateUpdated": "2026-05-12T03:55:18.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6735 (GCVE-0-2026-6735)

Vulnerability from cvelistv5 – Published: 2026-05-10 03:27 – Updated: 2026-05-11 13:25

Title

XSS within PHP-FPM status endpoint

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Severity

7.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

CWE

CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 12:56

Credits

conradfd@proton.me

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6735",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:25:43.011891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:25:54.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "conradfd@proton.me"
        }
      ],
      "datePublic": "2026-05-07T12:56:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u0026nbsp;\u003cspan\u003eallows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePHP-FPM status page.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u00a0PHP-FPM status page."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T03:27:00.607Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
        }
      ],
      "source": {
        "advisory": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f",
        "discovery": "EXTERNAL"
      },
      "title": "XSS within PHP-FPM status endpoint",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-6735",
    "datePublished": "2026-05-10T03:27:00.607Z",
    "dateReserved": "2026-04-21T00:39:47.273Z",
    "dateUpdated": "2026-05-11T13:25:54.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7258 (GCVE-0-2026-7258)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:28 – Updated: 2026-05-11 13:06

Title

Out-of-bounds read in urldecode() on NetBSD

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber

CWE

CWE-125 - Out-of-bounds Read

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

xfourj Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7258",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:05:55.470310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:06:10.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "NetBSD"
          ],
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "xfourj"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u0026nbsp;\u003ccode\u003eisxdigit()\u003c/code\u003e). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u0026nbsp;can trigger a denial of service."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u00a0isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u00a0can trigger a denial of service."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:45:03.566Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
        }
      ],
      "source": {
        "advisory": "GHSA-m8rr-4c36-8gq4",
        "discovery": "EXTERNAL"
      },
      "title": "Out-of-bounds read in urldecode() on NetBSD",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7258",
    "datePublished": "2026-05-10T04:28:14.520Z",
    "dateReserved": "2026-04-28T04:58:17.457Z",
    "dateUpdated": "2026-05-11T13:06:10.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7259 (GCVE-0-2026-7259)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:13 – Updated: 2026-05-11 13:13

Title

Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

Severity

2.1 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber

CWE

CWE-476 - NULL Pointer Dereference

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Viet Hoang Luu (The University of Melbourne) Amirmohammad Pasdar (The University of Melbourne) Wachiraphan Charoenwet (The University of Melbourne) Shaanan Cohney (The University of Melbourne) Toby Murray (The University of Melbourne) Van-Thuan Pham (The University of Melbourne) Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7259",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:12:58.875843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:13:50.416Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "mbstring",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Viet Hoang Luu (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Amirmohammad Pasdar (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Wachiraphan Charoenwet (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Shaanan Cohney (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Toby Murray (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Van-Thuan Pham (The University of Melbourne)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u0026nbsp;\u0026nbsp;a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u0026nbsp;\u003ccode\u003emb_regex_encoding()\u003c/code\u003e."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to\u00a0\u00a0a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to\u00a0mb_regex_encoding()."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:13:26.766Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75"
        }
      ],
      "source": {
        "advisory": "GHSA-wm6j-2649-pv75",
        "discovery": "EXTERNAL"
      },
      "title": "Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7259",
    "datePublished": "2026-05-10T04:13:26.766Z",
    "dateReserved": "2026-04-28T05:07:03.118Z",
    "dateUpdated": "2026-05-11T13:13:50.416Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7261 (GCVE-0-2026-7261)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:07 – Updated: 2026-05-11 13:14

Title

SoapServer session-persisted object use-after-free via SOAP header fault

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber

CWE

CWE-416 - Use after free

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Ilia Alshanetsky Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7261",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:14:14.879341Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:14:26.451Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "soap",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ilia Alshanetsky"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when \u003ccode\u003eSoapServer\u003c/code\u003e is configured with \u003ccode\u003eSOAP_PERSISTENCE_SESSION\u003c/code\u003e, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:P/AU:Y/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use after free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:07:25.484Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q"
        }
      ],
      "source": {
        "advisory": "GHSA-m33r-qmcv-p97q",
        "discovery": "EXTERNAL"
      },
      "title": "SoapServer session-persisted object use-after-free via SOAP header fault",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7261",
    "datePublished": "2026-05-10T04:07:25.484Z",
    "dateReserved": "2026-04-28T05:08:46.198Z",
    "dateUpdated": "2026-05-11T13:14:26.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7262 (GCVE-0-2026-7262)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:00 – Updated: 2026-05-11 13:14

Title

NULL pointer dereference in SOAP apache:Map decoder with missing <value>

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Severity

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber

CWE

CWE-476 - NULL pointer dereference

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Ilia Alshanetsky Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:14:44.873228Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:14:53.526Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "soap",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ilia Alshanetsky"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u0026nbsp; This leads to\u0026nbsp;dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.\u00a0 This leads to\u00a0dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL pointer dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:00:09.382Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv"
        }
      ],
      "source": {
        "advisory": "GHSA-hmxp-6pc4-f3vv",
        "discovery": "INTERNAL"
      },
      "title": "NULL pointer dereference in SOAP apache:Map decoder with missing \u003cvalue\u003e",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7262",
    "datePublished": "2026-05-10T04:00:09.382Z",
    "dateReserved": "2026-04-28T05:09:37.127Z",
    "dateUpdated": "2026-05-11T13:14:53.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7263 (GCVE-0-2026-7263)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:43 – Updated: 2026-05-11 13:04

Title

DoS attack via DOMNode::C14N()

Summary

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber

CWE

CWE-404 - Improper Resource Shutdown or Release
CWE-835 - Loop with unreachable exit condition ('infinite loop')

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Nikita Sveshnikov (Positive Technologies) Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7263",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:04:22.553796Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:04:26.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "dom",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nikita Sveshnikov (Positive Technologies)"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, \u003ccode\u003eDOMNode::C14N()\u003c/code\u003e\u0026nbsp;method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "CWE-404 Improper Resource Shutdown or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:46:28.150Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733"
        }
      ],
      "source": {
        "advisory": "GHSA-4jhr-8w89-j733",
        "discovery": "EXTERNAL"
      },
      "title": "DoS attack via DOMNode::C14N()",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7263",
    "datePublished": "2026-05-10T04:43:04.483Z",
    "dateReserved": "2026-04-28T05:12:25.217Z",
    "dateUpdated": "2026-05-11T13:04:26.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7568 (GCVE-0-2026-7568)

Vulnerability from cvelistv5 – Published: 2026-05-10 03:42 – Updated: 2026-05-11 13:25

Title

Signed integer overflow in metaphone()

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber

CWE

CWE-190 - Integer Overflow or Wraparound
CWE-125 - Out-of-bounds Read

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public

2026-05-07 00:00

Credits

Aleksey Solovev (Positive Technologies) Tim Düsterhus

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7568",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:25:08.120406Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:25:17.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aleksey Solovev (Positive Technologies)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Tim D\u00fcsterhus"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the \u003ccode\u003emetaphone()\u003c/code\u003e function in ext/standard/metaphone.c uses a \u003ccode\u003esigned int\u003c/code\u003e variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-92",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-92 Forced Integer Overflow"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:44:29.452Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "url": "https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57"
        }
      ],
      "source": {
        "advisory": "GHSA-96wq-48vp-hh57",
        "discovery": "EXTERNAL"
      },
      "title": "Signed integer overflow in metaphone()",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7568",
    "datePublished": "2026-05-10T03:42:36.433Z",
    "dateReserved": "2026-04-30T21:08:49.047Z",
    "dateUpdated": "2026-05-11T13:25:17.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1433

CVE-2025-14179 (GCVE-0-2025-14179)

CVE-2026-6104 (GCVE-0-2026-6104)

CVE-2026-6722 (GCVE-0-2026-6722)

CVE-2026-6735 (GCVE-0-2026-6735)

CVE-2026-7258 (GCVE-0-2026-7258)

CVE-2026-7259 (GCVE-0-2026-7259)

CVE-2026-7261 (GCVE-0-2026-7261)

CVE-2026-7262 (GCVE-0-2026-7262)

CVE-2026-7263 (GCVE-0-2026-7263)

CVE-2026-7568 (GCVE-0-2026-7568)

Tags

Sightings

Nomenclature