Multiple serious vulnerabilities have been found in PHP and extensions. Malicious users can exploit these vulnerabilities to cause denial of service or inject code.
PHP versions 5.6.7 and possibly earlier
PHP extensions calendar and pgsql
These vulnerabilities aren’t mitigated by vendor. You can protect yourself with disabling some functionality.