php security advisories
45 threat alerts tracking vulnerabilities and security advisories that affect php products.
Vulnios monitors php CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent php security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2016-9935 — php — php
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or poss
criticalCVE-2016-9935Critical Vulnerability: CVE-2016-9137 — php — php
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have uns
criticalCVE-2016-9137Critical Vulnerability: CVE-2016-9138 — php — php
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other imp
criticalCVE-2016-9138Critical Vulnerability: CVE-2016-9936 — php — php
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafte
criticalCVE-2016-9936Critical Vulnerability: CVE-2014-9912 — php — php
The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp
criticalCVE-2014-9912Critical Vulnerability: CVE-2016-7479 — php — php
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arb
criticalCVE-2016-7479Critical Vulnerability: CVE-2016-7417 — php — php
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial o
criticalCVE-2016-7417Critical Vulnerability: CVE-2016-7413 — php — php
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unsp
criticalCVE-2016-7413Critical Vulnerability: CVE-2016-7129 — php — php
The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified
criticalCVE-2016-7129Critical Vulnerability: CVE-2016-7414 — php — php
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial
criticalCVE-2016-7414Critical Vulnerability: CVE-2016-7411 — php — php
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspec
criticalCVE-2016-7411Critical Vulnerability: CVE-2016-7134 — php — php
ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overfl
criticalCVE-2016-7134Critical Vulnerability: CVE-2016-7124 — php — php
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified o
criticalCVE-2016-7124Critical Vulnerability: CVE-2016-7126 — php — php
The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of servi
criticalCVE-2016-7126Critical Vulnerability: CVE-2016-7127 — php — php
The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial of service (out-of-bou
criticalCVE-2016-7127Critical Vulnerability: CVE-2016-5114 — php — php
sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information
criticalCVE-2016-5114Critical Vulnerability: CVE-2016-5773 — php — php
php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote atta
criticalCVE-2016-5773Critical Vulnerability: CVE-2016-5769 — php — php
Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service (heap-based buffer ov
criticalCVE-2016-5769Critical Vulnerability: CVE-2016-5768 — php — php
Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attac
criticalCVE-2016-5768Critical Vulnerability: CVE-2016-3132 — php — php
Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a crafted index.
criticalCVE-2016-3132Critical Vulnerability: CVE-2016-3078 — php — php
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have
criticalCVE-2016-3078Critical Vulnerability: CVE-2016-6294 — php — php
The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguage
criticalCVE-2016-6294Critical Vulnerability: CVE-2016-6291 — php — php
The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array
criticalCVE-2016-6291Critical Vulnerability: CVE-2016-6290 — php — php
ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of servi
criticalCVE-2016-6290Critical Vulnerability: CVE-2016-6295 — php — php
ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause
criticalCVE-2016-6295Critical Vulnerability: CVE-2016-6288 — php — php
The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors i
criticalCVE-2016-6288Critical Vulnerability: CVE-2016-6296 — php — php
Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attack
criticalCVE-2016-6296Critical Vulnerability: CVE-2015-5589 — php — php
The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows
criticalCVE-2015-5589Critical Vulnerability: CVE-2015-8876 — php — php
Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL
criticalCVE-2015-8876Critical Vulnerability: CVE-2016-4344 — php — php
Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument
criticalCVE-2016-4344Critical Vulnerability: CVE-2016-4345 — php — php
Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other im
criticalCVE-2016-4345Critical Vulnerability: CVE-2015-6835 — php — php
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cau
criticalCVE-2015-6835Critical Vulnerability: CVE-2015-8835 — php — php
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a
criticalCVE-2015-8835Critical Vulnerability: CVE-2015-8880 — php — php
Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error.
criticalCVE-2015-8880Critical Vulnerability: CVE-2016-2554 — php — php
Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have
criticalCVE-2016-2554Critical Vulnerability: CVE-2015-6834 — php — php
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable
criticalCVE-2015-6834Critical Vulnerability: CVE-2016-1903 — php — php
The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cau
criticalCVE-2016-1903Critical Vulnerability: CVE-2015-8617 — php — php
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a s
criticalCVE-2015-8617Critical Vulnerability: CVE-2007-1383 — php — php
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destro
criticalCVE-2007-1383Critical Vulnerability: CVE-2026-6104 — php — php
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly
criticalCVE-2026-6104Critical Vulnerability: CVE-2017-12932 — php — php
ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for k
criticalCVE-2017-12932Critical Vulnerability: CVE-2017-12933 — php — php
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data.
criticalCVE-2017-12933Critical Vulnerability: CVE-2017-11362 — php — php
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffe
criticalCVE-2017-11362Critical Vulnerability: CVE-2017-8923 — php — php
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial
criticalCVE-2017-8923Critical Vulnerability: CVE-2016-5873 — php — pecl_http
Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL.
criticalCVE-2016-5873
Track php exposure across your environment
Vulnios automatically cross-references your asset inventory against new php CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan