CVE-2026-10288

A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function passwordverify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch...

Astra Linux - уязвимость в php7.3

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3, the passwordverify function may accept some invalid Blowfish hashes as valid. If such invalid hashes end up in the password database, it may allow an application to accept any password for that entry as valid...

EUVD-2025-208444

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. passwordverify is currently being called with a constructed string SHA-256 nonce + part of a bcrypt hash instead of the raw user password. Due to bcrypt’s 72-byte...

MiracleLinux 9 : php-8.0.30-1.el9 (AXSA:2023-6528:03)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6528:03 advisory. php: XML loading external entity without being enabled CVE-2023-3823 php: phar Buffer mismanagement CVE-2023-3824 php: 1-byte array overrun in commo...

MiracleLinux 9 : php:8.1 (AXSA:2024-9437:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-9437:01 advisory. php: host/secure cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 php: passwordverify can erroneously return true, opening ATO risk...

TencentOS Server 3: php:7.4 (TSSA-2024:1123)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1123 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

Oracle Linux 9 : php (ELSA-2025-7315)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-7315 advisory. - Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 - Fix Configuring a proxy in a stream context might allow for CRLF...

php: password_verify can erroneously return true, opening ATO risk

A null byte interaction error vulnerability was found in PHP. If a password stored with passwordhash starts with a null byte \x00, testing a blank string as the password via passwordverify will incorrectly return true. If a user can create a password with a leading null byte unlikely, but...

Moderate: Red Hat Security Advisory: php security update

An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

SUSE CVE-2024-3096

In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3. before 8.3.5, if a password stored with passwordhash starts with a null byte \x00, testing a blank string as the password via passwordverify will incorrectly return true...

BIT-PHP-MIN-2023-0567 password_verify() always returns true for some invalid hashes

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, passwordverify function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid...

CLSA-2024-1735311613 php: Fix of 2 CVEs

CVE-2023-0567: fix issue causing passwordverify function to accept invalid Blowfish hashes as valid - CVE-2023-3247: fix issue with SOAP HTTP Digest Authentication random value generator not checking for failure, leading to disclosure of uninitialized memory and easier guessing of client's nonce...

CLSA-2024-1735161696 php: Fix of 3 CVEs

CVE-2024-2756: Fix issue introduced by incomplete fix of CVE-2022-31629 to prevent network and same-site attackers from setting insecure cookies in victim's browser - CVE-2024-3096: Fix issue where passwordverify incorrectly returns true when testing a blank string with password starting with a...

ROS-20240826-02

Vulnerability of passwordverify function of PHP programming language interpreter is related to flaws in the authentication procedure. of the authentication procedure. Exploitation of the vulnerability could allow an attacker acting remotely Bypass the authentication process and gain unauthorized...

ROS-20240826-22

Vulnerability of passwordverify function of PHP programming language interpreter is related to flaws in the authentication procedure. of the authentication procedure. Exploitation of the vulnerability could allow an attacker acting remotely Bypass the authentication process and gain unauthorized...

ROS-20240826-21

Vulnerability of passwordverify function of PHP programming language interpreter is related to flaws in the authentication procedure. of the authentication procedure. Exploitation of the vulnerability could allow an attacker acting remotely Bypass the authentication process and gain unauthorized...

CBL Mariner 2.0 Security Update: php (CVE-2024-3096)

The version of php installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-3096 advisory. - In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3. before 8.3.5, if a password stored with passwordhash...

OESA-2024-1668 php security update

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

Important: php8.2

Issue Overview: The vulnerability allows a remote attacker to bypass implemented security restrictions. The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cook...

Amazon Linux 2023 : php8.2, php8.2-bcmath, php8.2-cli (ALAS2023-2024-624)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-624 advisory. The vulnerability allows a remote attacker to bypass implemented security restrictions. The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a...