Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

php — Vulnerabilities & Security Advisories 91

All 91 CVE vulnerabilities found in php, with AI-generated Chinese analysis, references, and POCs.

This page details Common Weakness Enumeration (CWE) vulnerabilities associated with the PHP programming language, tracked under the vendor "PHP." It aggregates reported security flaws, focusing on critical defects such as remote code execution, cross-site scripting, and buffer overflows that impact the stability and security of PHP-based applications. The data covers a comprehensive historical time range, capturing vulnerabilities from their initial discovery and reporting through to subsequent patch releases and long-term resolution statuses. By reviewing this aggregation, users can track a vendor's advisories to stay informed about the latest security patches and recommended mitigation strategies for known issues. Furthermore, visitors can understand a weakness class by examining common patterns and root causes across multiple incidents, gaining deeper insight into how specific coding errors lead to exploitable conditions in PHP environments. The page also allows users to look up a product's vulnerability history, providing a chronological view of how the PHP core and associated components have evolved in response to security challenges. This resource serves as a factual reference for developers, security auditors, and system administrators who need to assess risk exposure, prioritize remediation efforts, and ensure compliance with current security standards without relying on marketing narratives or speculative analysis.

Vendor: PHP

CVE IDTitleCVSSSeverityPublished
CVE-2026-14355 ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD CWE-122 5.6 Medium2026-07-03
CVE-2026-7263 DoS attack via DOMNode::C14N() CWE-404 7.5 -2026-05-10
CVE-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding CWE-125 9.1 -2026-05-10
CVE-2026-7258 Out-of-bounds read in urldecode() on NetBSD CWE-125 7.5 -2026-05-10
CVE-2026-6722 Use-After-Free in SOAP using Apache map CWE-416 8.8 -2026-05-10
CVE-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() CWE-476 7.5 -2026-05-10
CVE-2026-7261 SoapServer session-persisted object use-after-free via SOAP header fault CWE-416 8.8 -2026-05-10
CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value> CWE-476 7.5 -2026-05-10
CVE-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings CWE-89 9.8 -2026-05-10
CVE-2026-7568 Signed integer overflow in metaphone() CWE-190 9.1 -2026-05-10
CVE-2026-6735 XSS within PHP-FPM status endpoint CWE-79 6.1 -2026-05-10
CVE-2025-14177 Information Leak of Memory in getimagesize CWE-125 9.1 -2025-12-27
CVE-2025-14178 Heap buffer overflow in array_merge() CWE-787 6.5 Medium2025-12-27
CVE-2025-14180 NULL Pointer Dereference in PDO quoting CWE-476 7.5 -2025-12-27
CVE-2025-1735 pgsql extension does not check for errors during escaping CWE-89 5.9 Medium2025-07-13
CVE-2025-1220 Null byte termination in hostnames CWE-918 3.7 Low2025-07-13
CVE-2025-6491 NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix CWE-476 5.9 Medium2025-07-13
CVE-2024-11235 Reference counting in php_request_shutdown causes Use-After-Free CWE-416 9.8AICriticalAI2025-04-04
CVE-2025-1861 Stream HTTP wrapper truncates redirect location to 1024 bytes CWE-131 6.5 -2025-03-30
CVE-2025-1736 Stream HTTP wrapper header check might omit basic auth header CWE-20 5.3 -2025-03-30
CVE-2025-1734 Streams HTTP wrapper does not fail for headers with invalid name and no colon CWE-20 7.5 -2025-03-30
CVE-2025-1219 libxml streams use wrong content-type header when requesting a redirected resource 8.1 -2025-03-30
CVE-2025-1217 Header parser of http stream wrapper does not handle folded headers CWE-20 7.5 -2025-03-29
CVE-2022-31631 PDO::quote() may return unquoted string CWE-74 9.1 Critical2025-02-12
CVE-2024-11233 Single byte overread with convert.quoted-printable-decode filter CWE-122 4.8 Medium2024-11-24
CVE-2024-11234 Configuring a proxy in a stream context might allow for CRLF injection in URIs CWE-20 4.8 Medium2024-11-24
CVE-2024-11236 Integer overflow in the firebird and dblib quoters causing OOB writes CWE-787 9.8 Critical2024-11-24
CVE-2024-8929 Leak partial content of the heap through heap buffer over-read in mysqlnd CWE-200 5.8 Medium2024-11-22
CVE-2024-8932 OOB access in ldap_escape CWE-787 9.8 Critical2024-11-22
CVE-2024-9026 PHP-FPM logs from children may be altered CWE-158 3.3 Low2024-10-08

All 91 known CVE vulnerabilities affecting php with full Chinese analysis, references, and POCs where available.