Php

An unauthenticated attacker can exploit a vulnerability in the PHP JWT Library's PBES2AESKW::unwrapKey() function when processing JWE tokens that use PBES2-HS*+A*KW algorithms by crafting a JWE with an excessively large 'p2c' (PBKDF2 iteration count) parameter in the JOSE header, forcing the server to perform an unbounded and CPU-intensive PBKDF2 computation, resulting in a CPU-amplification denial of service.

A Time-of-Check/Time-of-Use (TOCTOU) vulnerability exists in the `JWSVerifier` and `JWEDecrypter` components of the `web-token/jwt-framework` and `web-token/jwt-library` PHP packages, allowing an attacker to override the integrity-protected `alg` parameter from the unprotected header, leading to authentication bypass and unauthorized access.

The spomky-labs/otphp library is vulnerable to a denial of service (GHSA-g7m4-839x-ch6v) where an unbounded 'digits' parameter in an otpauth provisioning URI causes a DivisionByZeroError, leading to unhandled fatal errors in applications trying to generate or verify OTPs.

Pimcore v11 and earlier is vulnerable to unsafe PHP deserialization in multiple locations due to missing `allowed_classes` restrictions when calling `unserialize()` on data from database columns and filesystem files; an attacker with control over serialized data sources (e.g., via SQL injection or file write vulnerabilities) can inject PHP gadget chains, leading to remote code execution.

Attackers compromised Laravel Lang packages by rewriting GitHub tags, distributing a credential-stealing malware targeting cloud credentials, secrets, keys, browser data, and cryptocurrency wallets across Windows, Linux, and macOS systems.

A remote attacker can exploit multiple vulnerabilities in PHP to disclose information, cause a denial-of-service condition, perform a Server-Side Request Forgery (SSRF) attack, or achieve unknown impacts.

A vulnerability in Twig versions 3.15.0 to 3.26.0 (CVE-2026-46640) allows arbitrary PHP code execution via the `_self.(<string>)` macro-reference compilation, enabling attackers to inject and execute arbitrary PHP code by supplying malicious template source, bypassing the SandboxExtension.

KnpLabs knp-snappy versions 1.7.0 and earlier are vulnerable to command injection (CVE-2026-46643) due to an inverted is_executable check, which prevents proper shell escaping of the binary path, potentially leading to command execution if the binary path is attacker-influenced.

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution (RCE) due to PHP function injection, allowing attackers to execute arbitrary code on affected sites.

PHP Timeclock 1.04 is vulnerable to time-based and boolean-based blind SQL injection in the login_userid parameter of login.php, allowing unauthenticated attackers to extract sensitive database information by sending crafted POST requests with SQL payloads.

Schlix CMS 2.2.6-6 contains a remote code execution vulnerability, tracked as CVE-2021-47964, allowing authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager and triggering execution by accessing the 'About' tab.

A local file inclusion vulnerability (CVE-2026-39850) exists in Yii 2 versions prior to 2.0.55 due to the `View::renderPhpFile()` method's handling of the `_file_` parameter, allowing attackers to read arbitrary files and potentially achieve remote code execution if they can write PHP files.

Aero CMS 0.0.1 is vulnerable to PHP code injection (CVE-2022-50944), allowing an authenticated attacker to execute arbitrary PHP code by uploading malicious files through the image parameter, leading to remote code execution on the server.

The webonyx/graphql-php library has an unbounded recursion vulnerability in its parser that can lead to a stack overflow, causing a denial of service by terminating the PHP process with a SIGSEGV.

The `OverlappingFieldsCanBeMerged` validation rule in `webonyx/graphql-php` has an `O(n^2 x m^2)` worst-case complexity due to flattened inline fragments, leading to potential resource exhaustion.

Composer is vulnerable to command injection via a malicious Perforce repository due to improper escaping of user-supplied Perforce connection parameters, potentially leading to arbitrary command execution in the context of the user running Composer.

A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.

The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.

CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.

PHPGurukul News Portal Project version 4.1 is vulnerable to SQL injection via the Comment parameter in /news-details.php, potentially allowing remote attackers to execute arbitrary SQL queries.

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.

A critical broken access control vulnerability (CVE-2026-39355) in Genealogy PHP application versions prior to 5.9.1 allows authenticated users to transfer ownership of arbitrary teams, leading to complete takeover of team workspaces and unrestricted data access.

Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.

Auth0-PHP SDK versions 8.0.0 to before 8.19.0 encrypt cookies with insufficient entropy, potentially allowing attackers to brute-force the encryption key and forge session cookies.

A denial-of-service vulnerability exists in the Protobuf PHP library due to maliciously crafted messages with negative varints or deep recursion, leading to application crashes and impacting service availability.

PhreeBooks ERP 5.2.3 is vulnerable to remote code execution, allowing authenticated attackers to upload and execute arbitrary PHP files via the image manager, leading to reverse shell connections and system command execution.

PhpSpreadsheet is vulnerable to Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) due to improper validation of filenames in the IOFactory::load function, exploitable via PHP wrappers like `phar://` and `ftp://`.

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.

A reflected XSS vulnerability exists in FlightPHP versions prior to 3.18.1 due to improper validation of the jsonp query parameter in the Flight::jsonp() function, allowing attackers to inject arbitrary JavaScript leading to cookie theft, session hijacking, and data exfiltration.

Scramble versions 0.13.2 through 0.13.21 are vulnerable to remote code execution due to the evaluation of user-controlled input in validation rules during documentation generation, potentially allowing attackers to execute arbitrary PHP code.

A vulnerability in PhpSpreadsheet exists where a crafted XLSX file containing a large row number can cause excessive CPU consumption due to unbounded loop iterations, leading to a denial of service.

Phpseclib versions 3.0.0 before 3.0.34 are vulnerable to an integer overflow when loading untrusted ASN.1 files, such as X.509 certificates and RSA PKCS8 keys, potentially leading to denial of service or remote code execution.

Unauthenticated attackers can exploit a PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29 by injecting malicious PHP code into the installer's AJAX endpoint, leading to arbitrary code execution.