Vulnerabilities > PHP > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-05-24 CVE-2017-9225 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-787
critical
9.8
2017-05-24 CVE-2017-9224 Out-of-bounds Read vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project php CWE-125
critical
9.8
2017-05-21 CVE-2017-9119 Resource Exhaustion vulnerability in multiple products
The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures.
network
low complexity
php netapp CWE-400
critical
9.8
2017-05-12 CVE-2017-8923 Out-of-bounds Write vulnerability in PHP
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.
network
low complexity
php CWE-787
critical
9.8
2017-01-24 CVE-2016-10160 Off-by-one Error vulnerability in multiple products
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
network
low complexity
php netapp debian CWE-193
critical
9.8
2017-01-23 CVE-2016-5873 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP Pecl Http 3.0.1
Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL.
network
low complexity
php CWE-119
critical
9.8
2017-01-12 CVE-2016-7479 Use After Free vulnerability in PHP
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free.
network
low complexity
php CWE-416
critical
9.8
2017-01-11 CVE-2016-7480 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
network
low complexity
php netapp CWE-119
critical
9.8
2017-01-11 CVE-2017-5340 Integer Overflow or Wraparound vulnerability in multiple products
Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.
network
low complexity
php netapp CWE-190
critical
9.8
2017-01-04 CVE-2016-9936 Use After Free vulnerability in PHP
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data.
network
low complexity
php CWE-416
critical
9.8