https://cxsecurity.com/wlb/ PHP Vulnerabilities - CXSECURITY.COM WLB2CVEMAP Database en-US Sat, 25 Apr 2026 12:11:56 +0000 CVEMAP.ORG https://cxsecurity.com/cveproducts/ https://cxsecurity.com/images/wlb/wlblogo.png PHP Vulnerabilities - World Laboratory of Bugtraq 2 Common Vulnerabilities and Exposures Map (WLB2CVEMAP) https://cxsecurity.com/cveshow/CVE-2021-21708/ CVE-2021-21708 2022-02-27 In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits. https://cxsecurity.com/cveshow/CVE-2021-21707/ CVE-2021-21707 2021-11-29 In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. https://cxsecurity.com/cveshow/CVE-2021-21703/ CVE-2021-21703 2021-10-25 In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. https://cxsecurity.com/cveshow/CVE-2021-21704/ CVE-2021-21704 2021-10-04 In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption. https://cxsecurity.com/cveshow/CVE-2021-21705/ CVE-2021-21705 2021-10-04 In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. https://cxsecurity.com/cveshow/CVE-2021-21702/ CVE-2021-21702 2021-02-15 In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash. https://cxsecurity.com/cveshow/CVE-2020-7071/ CVE-2020-7071 2021-02-15 In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL. https://cxsecurity.com/cveshow/CVE-2020-7068/ CVE-2020-7068 2020-09-09 In PHP versions 7.2.x below 7.3.21, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure. https://cxsecurity.com/cveshow/CVE-2019-11048/ CVE-2019-11048 2020-05-20 In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server. https://cxsecurity.com/cveshow/CVE-2020-7067/ CVE-2020-7067 2020-04-27 In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.