Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

PHP Group — Vulnerabilities & Security Advisories 88

Browse all 88 CVE security advisories affecting PHP Group. AI-powered Chinese analysis, POCs, and references for each vulnerability.

PHP Group operates as a prominent developer of open-source software, primarily known for creating the PHP scripting language and related web development tools. With 78 recorded Common Vulnerabilities and Exposures, the organization’s codebase has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation and memory management errors within legacy components. While PHP Group actively maintains a security advisory process to patch identified weaknesses, the sheer volume of disclosed CVEs highlights the complexity of securing widely adopted, legacy-heavy infrastructure. The organization’s response to major incidents typically involves rapid security updates and detailed advisories, aiming to mitigate risks for the extensive global community of developers relying on its technologies for web application deployment.

Top products by PHP Group: PHP PHP Imagick extension
CVE IDTitleCVSSSeverityPublished
CVE-2026-7263 DoS attack via DOMNode::C14N() — PHPCWE-404--2026-05-10
CVE-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding — PHPCWE-125--2026-05-10
CVE-2026-7258 Out-of-bounds read in urldecode() on NetBSD — PHPCWE-125--2026-05-10
CVE-2026-6722 Use-After-Free in SOAP using Apache map — PHPCWE-416--2026-05-10
CVE-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() — PHPCWE-476--2026-05-10
CVE-2026-7261 SoapServer session-persisted object use-after-free via SOAP header fault — PHPCWE-416--2026-05-10
CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value> — PHPCWE-476--2026-05-10
CVE-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings — PHPCWE-89--2026-05-10
CVE-2026-7568 Signed integer overflow in metaphone() — PHPCWE-190--2026-05-10
CVE-2026-6735 XSS within PHP-FPM status endpoint — PHPCWE-79--2026-05-10
CVE-2025-14177 Information Leak of Memory in getimagesize — PHPCWE-125 9.1 -2025-12-27
CVE-2025-14178 Heap buffer overflow in array_merge() — PHPCWE-787 6.5 Medium2025-12-27
CVE-2025-14180 NULL Pointer Dereference in PDO quoting — PHPCWE-476 7.5 -2025-12-27
CVE-2025-1735 pgsql extension does not check for errors during escaping — PHPCWE-89 5.9 Medium2025-07-13
CVE-2025-1220 Null byte termination in hostnames — PHPCWE-918 3.7 Low2025-07-13
CVE-2025-6491 NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix — PHPCWE-476 5.9 Medium2025-07-13
CVE-2024-11235 Reference counting in php_request_shutdown causes Use-After-Free — PHPCWE-416 9.8AICriticalAI2025-04-04
CVE-2025-1861 Stream HTTP wrapper truncates redirect location to 1024 bytes — PHPCWE-131 6.5 -2025-03-30
CVE-2025-1736 Stream HTTP wrapper header check might omit basic auth header — PHPCWE-20 5.3 -2025-03-30
CVE-2025-1734 Streams HTTP wrapper does not fail for headers with invalid name and no colon — PHPCWE-20 7.5 -2025-03-30
CVE-2025-1219 libxml streams use wrong content-type header when requesting a redirected resource — PHP 8.1 -2025-03-30
CVE-2025-1217 Header parser of http stream wrapper does not handle folded headers — PHPCWE-20 7.5 -2025-03-29
CVE-2022-31631 PDO::quote() may return unquoted string — PHPCWE-74 9.1 Critical2025-02-12
CVE-2024-11233 Single byte overread with convert.quoted-printable-decode filter — PHPCWE-122 4.8 Medium2024-11-24
CVE-2024-11234 Configuring a proxy in a stream context might allow for CRLF injection in URIs — PHPCWE-20 4.8 Medium2024-11-24
CVE-2024-11236 Integer overflow in the firebird and dblib quoters causing OOB writes — PHPCWE-787 9.8 Critical2024-11-24
CVE-2024-8929 Leak partial content of the heap through heap buffer over-read in mysqlnd — PHPCWE-200 5.8 Medium2024-11-22
CVE-2024-8932 OOB access in ldap_escape — PHPCWE-787 9.8 Critical2024-11-22
CVE-2024-9026 PHP-FPM logs from children may be altered — PHPCWE-158 3.3 Low2024-10-08
CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision — PHP 7.5 High2024-10-08

This page lists every published CVE security advisory associated with PHP Group. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.