Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: php (UTSA-2026-016501)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016501 advisory. In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3. before 8.3.14, due to an error inconvert.quoted-printable-decode filter certain data can lead to buffer...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: php (UTSA-2026-005838)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005838 advisory. In PHP versions:8.1. before 8.1.33, 8.2. before 8.2.29, 8.3. before 8.3.23, 8.4. pgsql and pdopgsql escaping functions do not check if the underlying quoting functio...

Unity Linux 20.1070e Security Update: php (UTSA-2025-984693)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-984693 advisory. In PHP from 8.1. before 8.1.32, from 8.2. before 8.2.28, from 8.3. before 8.3.19, from 8.4. before 8.4.5, when http request module parses HTTP response obtained from...

BIT-LIBPHP-2022-31627 Heap buffer overflow in finfo_buffer

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfobuffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption...

UBUNTU-CVE-2025-1220

In PHP versions:8.1. before 8.1.33, 8.2. before 8.2.29, 8.3. before 8.3.23, 8.4. before 8.4.10 some functions like fsockopen lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parseurl treat the hostname in different way, thus openin...

CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025...

CVE-2025-48827

CVE-2025-48827 affects vBulletin 5.0.0–5.7.5 and 6.0.0–6.0.3. The issue is an authentication bypass that allows unauthenticated attackers on PHP 8.1+ to invoke protected API controller methods remotely (e.g., via /api.php?method=protectedMethod), with confirmed exploitation in the wild and potent...

PT-2025-22961

Name of the Vulnerable Software and Affected Versions vBulletin versions 5.0.0 through 5.7.5 vBulletin versions 6.0.0 through 6.0.3 Description The issue allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the...

RHEL 9 : php:8.1 (RHSA-2025:4263)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:4263 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: Leak partial content of the heap...

Amazon Linux 2023 : php8.1, php8.1-bcmath, php8.1-cli (ALAS2023-2025-916)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-916 advisory. Header parser of http stream wrapper does not handle folded headers. CVE-2025-1217 When requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used t...

USN-7400-1 php7.4, php8.1, php8.3 vulnerabilities

It was discovered that PHP incorrectly handle certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. CVE-2024-11235 It was discovered that PHP incorrectly handle certain folded headers. An attacker could possibly use this issue to cause a crash or...

php:8.1 security update

An update is available for php-pecl-zip, module.php-pecl-apcu, php-pecl-xdebug3, module.php-pecl-xdebug3, php-pecl-rrd, module.php-pecl-rrd, module.php-pecl-zip, php-pecl-apcu. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severit...

Oracle Linux 9 : php:8.1 (ELSA-2024-10950)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-10950 advisory. php 8.1.30-1 - rebase to 8.1.30 RHEL-64144 php-pecl-apcu 5.1.21-1 - update to 5.1.21 for PHP 8.1 2070040 php-pecl-rrd php-pecl-xdebug3 3.1.4-1 - updat...

php:8.1 security update

php 8.1.30-1 - rebase to 8.1.30 RHEL-64144 php-pecl-apcu 5.1.21-1 - update to 5.1.21 for PHP 8.1 2070040 php-pecl-rrd php-pecl-xdebug3 3.1.4-1 - update to 3.1.4 for PHP 8.1 2070040 php-pecl-zip 1.20.1-1 - update to 1.20.1 for PHP 8.1 2070040...

RHEL 9 : php:8.1 (RHSA-2024:10950)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:10950 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: host/secure cookie bypass due to...

ALSA-2024:10950 Moderate: php:8.1 security update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: host/secure cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 php: passwordverify can erroneously return true, opening ATO risk CVE-2024-3096 php: Filter bypass in filtervar...

CVE-2024-11234 Configuring a proxy in a stream context might allow for CRLF injection in URIs

In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3. before 8.3.14, when using streams with configured proxy and "requestfulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests...

CVE-2024-11236

CVE-2024-11236 affects PHP versions with ldap_escape() on 32-bit systems where uncontrolled long inputs can overflow an integer, causing an out-of-bounds write. Affected are PHP 8.1.x before 8.1.31, 8.2.x before 8.2.26, and 8.3.x before 8.3.14. The issue is described in multiple sources, includin...

PHP 8.1.x < 8.1.30 Multiple Vulnerabilities

According to its self-reported version number, the version of PHP installed on the remote host is 8.1.x prior to 8.1.30, 8.2.x prior to 8.2.24, or 8.3.x prior to 8.3.12. It is, therefore, affected by multiple vulnerabilities: - Parameter injection vulnerability with a bypass of CVE-2024-4577...

PHP 8.1.x < 8.1.30 Multiple Vulnerabilities

The version of PHP installed on the remote host is prior to 8.1.30. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.1.30 advisory. - In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, when using a certain non- standard configurations ...