Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

PHP — Vulnerabilities & Security Advisories 90

All 90 CVE vulnerabilities found in PHP, with AI-generated Chinese analysis, references, and POCs.

Vendor: PHP

CVE IDTitleCVSSSeverityPublished
CVE-2026-7263 DoS attack via DOMNode::C14N() CWE-404 7.5AIHighAI2026-05-10
CVE-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding CWE-125 9.1AICriticalAI2026-05-10
CVE-2026-7258 Out-of-bounds read in urldecode() on NetBSD CWE-125 7.5AIHighAI2026-05-10
CVE-2026-6722 Use-After-Free in SOAP using Apache map CWE-416 8.8AIHighAI2026-05-10
CVE-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() CWE-476 7.5AIHighAI2026-05-10
CVE-2026-7261 SoapServer session-persisted object use-after-free via SOAP header fault CWE-416 8.8AIHighAI2026-05-10
CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value> CWE-476 7.5AIHighAI2026-05-10
CVE-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings CWE-89 9.8AICriticalAI2026-05-10
CVE-2026-7568 Signed integer overflow in metaphone() CWE-190 9.1AICriticalAI2026-05-10
CVE-2026-6735 XSS within PHP-FPM status endpoint CWE-79 6.1AIMediumAI2026-05-10
CVE-2025-14177 Information Leak of Memory in getimagesize CWE-125 9.1 -2025-12-27
CVE-2025-14178 Heap buffer overflow in array_merge() CWE-787 6.5 Medium2025-12-27
CVE-2025-14180 NULL Pointer Dereference in PDO quoting CWE-476 7.5 -2025-12-27
CVE-2025-1735 pgsql extension does not check for errors during escaping CWE-89 5.9 Medium2025-07-13
CVE-2025-1220 Null byte termination in hostnames CWE-918 3.7 Low2025-07-13
CVE-2025-6491 NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix CWE-476 5.9 Medium2025-07-13
CVE-2024-11235 Reference counting in php_request_shutdown causes Use-After-Free CWE-416 9.8AICriticalAI2025-04-04
CVE-2025-1861 Stream HTTP wrapper truncates redirect location to 1024 bytes CWE-131 6.5 -2025-03-30
CVE-2025-1736 Stream HTTP wrapper header check might omit basic auth header CWE-20 5.3 -2025-03-30
CVE-2025-1734 Streams HTTP wrapper does not fail for headers with invalid name and no colon CWE-20 7.5 -2025-03-30
CVE-2025-1219 libxml streams use wrong content-type header when requesting a redirected resource 8.1 -2025-03-30
CVE-2025-1217 Header parser of http stream wrapper does not handle folded headers CWE-20 7.5 -2025-03-29
CVE-2022-31631 PDO::quote() may return unquoted string CWE-74 9.1 Critical2025-02-12
CVE-2024-11233 Single byte overread with convert.quoted-printable-decode filter CWE-122 4.8 Medium2024-11-24
CVE-2024-11234 Configuring a proxy in a stream context might allow for CRLF injection in URIs CWE-20 4.8 Medium2024-11-24
CVE-2024-11236 Integer overflow in the firebird and dblib quoters causing OOB writes CWE-787 9.8 Critical2024-11-24
CVE-2024-8929 Leak partial content of the heap through heap buffer over-read in mysqlnd CWE-200 5.8 Medium2024-11-22
CVE-2024-8932 OOB access in ldap_escape CWE-787 9.8 Critical2024-11-22
CVE-2024-9026 PHP-FPM logs from children may be altered CWE-158 3.3 Low2024-10-08
CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision 7.5 High2024-10-08

All 90 known CVE vulnerabilities affecting PHP with full Chinese analysis, references, and POCs where available.