Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : PHP vulnerabilities (USN-8336-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8336-1 advisory. Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the...

AlmaLinux 8 : php:8.2 (ALSA-2026:22305)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:22305 advisory. PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions CVE-2026-7258 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting...

PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code Cross-Site Scripti...

RLSA-2026:22142 Important: php:8.3 security update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions CVE-2026-7258 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation...

SUSE SLES15 Security Update : php7 (SUSE-SU-2026:2091-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2091-1 advisory. This update for php7 fixes the following issues - CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code...

USN-8336-1: PHP vulnerabilities

Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An attacker could possibly use this issue to perform SQL injection attacks. CVE-2025-14179 It was discovered that PHP incorrectly handled certain encoding...

USN-8336-1 php8.1, php8.3, php8.4, php8.5 vulnerabilities

Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An attacker could possibly use this issue to perform SQL injection attacks. CVE-2025-14179 It was discovered that PHP incorrectly handled certain encoding...

CLSA-2026-1779292803 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS within status endpoint in PHP-FPM - debian/patches/CVE-2026-6735.patch: XSS within status endpoint in PHP-FPM - CVE-2026-6735...

Astra Linux - уязвимость в php7.3

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25, and 8.0.x below 8.0.12, when running PHP FPM SAPI with the main FPM daemon process running as the root user and child worker processes running as lower-privileged users, it is possible for the child processes to access memory...

SUSE SLES15 Security Update : php8 (SUSE-SU-2026:1958-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1958-1 advisory. This update for php8 fixes the following issues - CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when...

CLSA-2026-1779123668 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS via unsanitized request URI in PHP-FPM status page - debian/patches/CVE-2026-6735.patch: escape requesturi with HTML entities in fpmstatushandlerequest for HTML/XML output formats, and fix querystring escape flags in sapi/fpm/fpm/fpmstatus.c - CVE-2026-6735...

CVE-2026-6735

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code Cross-Site Scripti...

Security update for php8

This update for php8 fixes the following issues CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection bsc1264778. CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution bsc1264776...

CLSA-2026-1778670864 php: Fix of CVE-2026-6735

CVE-2026-6735: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c to fix XSS in PHP-FPM status endpoint...

CLSA-2026-1778670534 php: Fix of CVE-2026-6735

CVE-2026-6735: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c to fix XSS in PHP-FPM status endpoint...

OPENSUSE-SU-2026:20745-1 Security update for php8

This update for php8 fixes the following issues - CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection bsc1264778. - CVE-2026-6104: out-of-bounds read when processing an encoding name containing an embedded NULL byte in...

BIT-PHP-2026-6735 XSS within PHP-FPM status endpoint

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

BIT-LIBPHP-2026-6735 XSS within PHP-FPM status endpoint

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

PT-2026-40305

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...

PT-2026-40280

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code XSS on the target's machine when the target is viewing...