Lucene search
K

419 matches found

OSV
OSV
added 2026/05/12 8:56 a.m.18 views

BIT-PHP-2026-7568 Signed integer overflow in metaphone()

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the metaphone function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed...

7.5CVSS5.8AI score0.00455EPSS
Exploits0References12
OSV
OSV
added 2026/05/12 8:56 a.m.7 views

BIT-PHP-2026-7263 DoS attack via DOMNode::C14N()

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References6
OSV
OSV
added 2026/05/12 8:50 a.m.8 views

BIT-LIBPHP-2026-6104 Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mbconvertencoding or related mbstring functions, the code incorrectly assumes that when strncasecmp returns 0 it means the strings have the same length. This can lead to...

9.1CVSS5.9AI score0.00469EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.10 views

PT-2026-40300

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/11 2:17 p.m.11 views

SUSE CVE-2026-6735

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

6.3CVSS6.2AI score0.0021EPSS
Exploits1References15
Fedora
Fedora
added 2026/05/11 12:52 a.m.12 views

[SECURITY] Fedora 44 Update: php-8.5.6-1.fc44

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

9.8CVSS5.8AI score0.00739EPSS
Exploits1
OSV
OSV
added 2026/05/10 5:16 a.m.4 views

UBUNTU-CVE-2026-7568

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the metaphone function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed...

7.5CVSS5.8AI score0.00455EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/10 3:51 a.m.61 views

CVE-2025-14179 SQL injection in pdo_firebird via NUL bytes in quoted strings

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...

8.9CVSS0.00298EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/05/10 3:42 a.m.14 views

CVE-2026-7568

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the metaphone function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed...

7.5CVSS5.8AI score0.00455EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/10 3:27 a.m.19 views

CVE-2026-6735 XSS within PHP-FPM status endpoint

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

8.8CVSS6.2AI score0.0021EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/05/10 12:0 a.m.20 views

Fedora 44 : php (2026-c66eaae759)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c66eaae759 advisory. PHP version 8.5.6 07 May 2026 Core: Fixed bug GH-19983 GC assertion failure with fibers, generators and destructors. iliaal Fixed ZENDAPI mismatch o...

9.8CVSS5.9AI score0.0078EPSS
Exploits1References13
RedHat Linux
RedHat Linux
added 2026/05/06 12:25 p.m.16 views

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: php: php-8.5.6-1.hum1 aarch64, x8664 php-bcmath-8.5.6-1.hum1 aarch64, x8664 php-cli-8.5.6-1.hum1 aarch64, x8664 php-common-8.5.6-1.hum1 aarch64, x8664 php-dba-8.5.6-1.hum1 aarch64, x8664...

8.8CVSS5.8AI score0.00337EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/30 10:0 p.m.2 views

CVE-2026-7505

A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version...

7.5CVSS5AI score0.00381EPSS
Exploits0References8Affected Software2
NVD
NVD
added 2026/04/24 3:16 a.m.5 views

CVE-2026-41305

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

6.1CVSS0.00205EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/24 2:27 a.m.15 views

EUVD-2026-25383

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

6.1CVSS5.2AI score0.00205EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/22 7:22 a.m.5 views

CVE-2026-24505

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...

7.2CVSS6.1AI score0.00417EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/22 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-31485

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - spi: spi-fsl-lpspi: fix teardown order issue UAF There is a teardown order issue in the driver. The SPI controller is registered using devmspiregistercontroller...

7.8CVSS6AI score0.00126EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/21 7:23 p.m.6 views

CVE-2026-26942

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contains an Improper Neutralization of Special Elements used in an OS Command 'OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command...

7.2CVSS6.1AI score0.00882EPSS
Exploits0References1
NVD
NVD
added 2026/04/20 5:16 p.m.4 views

CVE-2026-22761

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...

7.2CVSS0.01159EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/20 4:39 p.m.33 views

CVE-2026-22761

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...

6.7CVSS0.01159EPSS
Exploits0References1
Rows per page
Query Builder