PHP — community ground truth
2 notable / known-exploited PHP CVEs the community has triaged.
ⓘ Not an exhaustive list — we focus on the findings that matter (exploited / notable). For every PHP CVE, see NVD ↗.
- CVE-2012-1823CVSS 9.8KEVEPSS 100%
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
- CVE-2019-11043CVSS 8.7KEVEPSS 99%
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.