prod
Sylius 1.14-dev
149 vulnérabilités ont été trouvés
1 paquets abandonnés ont été trouvés
Dernière analyse : il y a 18 heures
Pas de résultat.
149 vulnérabilités ont été trouvés
| # | Total | C | H | M | L | |
|---|---|---|---|---|---|---|
| Composer | 58 | 0 | 9 | 12 | 7 | 0 |
| Php/php | 43 | 5 | 15 | 12 | 4 | 7 |
| Apache/http_server | 48 | 6 | 17 | 10 | 0 | 15 |
Composer
high Twig has a possible sandbox bypass
Versions affectées : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8Versions patchées : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66
Signalée 09/09/2024
CVE-2024-45411
Sandbox `__toString()` policy bypass via dynamic mapping keys
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Versions patchées :
https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys
Signalée 27/05/2026
CVE-2026-48806
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
Versions affectées : >=3.9.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46634
Signalée 20/05/2026
CVE-2026-46634
low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
Signalée 06/11/2024
CVE-2024-51755
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46638
Signalée 20/05/2026
CVE-2026-46638
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-47732
Signalée 20/05/2026
CVE-2026-47732
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Versions patchées :
https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface
Signalée 27/05/2026
CVE-2026-48808
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Versions patchées :
https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php
Signalée 27/05/2026
CVE-2026-48805
Possible sandbox bypass when using a source policy
Versions affectées : >=2.16.0,<3.0.0|>=3.9.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-24425
Signalée 20/05/2026
CVE-2026-24425
PHP code injection via `{% use %}` template name
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46633
Signalée 20/05/2026
CVE-2026-46633
Sandbox does not protect against resource exhaustion
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46627
Signalée 20/05/2026
CVE-2026-46627
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46635
Signalée 20/05/2026
CVE-2026-46635
The `spaceless` filter implicitly marks its output as safe
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46628
Signalée 20/05/2026
CVE-2026-46628
XSS in profiler HtmlDumper via unescaped template and profile names
Versions affectées : >=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-47730
Signalée 20/05/2026
CVE-2026-47730
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Versions patchées :
https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators
Signalée 27/05/2026
CVE-2026-48807
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Versions patchées :
https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
Signalée 27/05/2026
CVE-2026-46636
low Unguarded calls to __toString() when nesting an object into an array
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
Signalée 06/11/2024
CVE-2024-51754
1 symfony/http-client —— v6.4.7 +
low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
Versions affectées : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342
Signalée 05/11/2024
CVE-2024-50342
3 symfony/http-foundation —— v6.4.7 +
high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7Versions patchées : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Signalée 12/11/2025
CVE-2025-64500
low CVE-2024-50345: Open redirect via browser-sanitized URLs
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345
Signalée 05/11/2024
CVE-2024-50345
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Versions affectées : >=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13Versions patchées :
https://symfony.com/cve-2026-48736
Signalée 26/05/2026
CVE-2026-48736
high CVE-2024-51736: Command execution hijack on Windows with Process class
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-51736
Signalée 05/11/2024
CVE-2024-51736
medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Versions affectées : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51Versions patchées : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6
Signalée 28/01/2026
CVE-2026-24739
1 symfony/security-bundle —— v6.4.7 +
low CVE-2024-50341: Security::login does not take into account custom user_checker
Versions affectées : >=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3Versions patchées : 6.4.10 7.0.10 7.1.3 6.4.10 7.0.10 7.1.3
https://symfony.com/cve-2024-50341
Signalée 17/07/2024
CVE-2024-50341
1 symfony/validator —— v6.4.7 +
low CVE-2024-50343: Incorrect response from Validator when input ends with ` `
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4Versions patchées : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343
Signalée 30/08/2024
CVE-2024-50343
4 symfony/security-http —— v6.4.7 +
high CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie
Versions affectées : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8Versions patchées : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996
Signalée 13/11/2024
CVE-2024-51996
CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13Versions patchées :
https://symfony.com/cve-2026-48489
Signalée 26/05/2026
CVE-2026-48489
CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
Versions affectées : >=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45069
Signalée 20/05/2026
CVE-2026-45069
CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45063
Signalée 20/05/2026
CVE-2026-45063
1 sylius/sylius —— 1.14.x-dev +
medium Sylius allows unrestricted brute-force attacks on user accounts
Versions affectées : <=2.0.2Versions patchées :
https://github.com/advisories/GHSA-2hjh-495w-hmxc
Signalée 06/02/2025
CVE-2024-57610
2 sylius/paypal-plugin —— v1.6.0 +
medium Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
Versions affectées : >=2.0.0,<2.0.2|>=1.7.0,<1.7.2|<1.6.2Versions patchées : 1.6.2 1.7.2 2.0.2
https://github.com/advisories/GHSA-hxg4-65p5-9w37
Signalée 19/03/2025
CVE-2025-30152
medium Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
Versions affectées : >=2.0.0,<2.0.1|>=1.7.0,<1.7.1|<1.6.1Versions patchées : 1.6.1 1.7.1 2.0.1
https://github.com/advisories/GHSA-pqq3-q84h-pj6x
Signalée 17/03/2025
CVE-2025-29788
2 api-platform/core —— v2.7.18 +
high GraphQL query operations security can be bypassed
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-cg3c-245w-728m
Signalée 04/04/2025
CVE-2025-31481
high GraphQL grant on a property might be cached with different objects
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-428q-q3vv-3fq3
Signalée 04/04/2025
CVE-2025-31485
1 enshrined/svg-sanitize —— 0.16.0 +
medium svg-sanitizer Bypasses Attribute Sanitization
Versions affectées : <0.22.0Versions patchées : 0.22.0
https://github.com/advisories/GHSA-22wq-q86m-83fh
Signalée 12/08/2025
CVE-2025-55166
4 phpseclib/phpseclib —— 2.0.47 +
high phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack
Versions affectées : <=1.0.26|>=2.0.0,<=2.0.51|>=3.0.0,<=3.0.49Versions patchées : 3.0.50 2.0.52 1.0.27
https://github.com/advisories/GHSA-94g3-g5v7-q4jg
Signalée 19/03/2026
CVE-2026-32935
high phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()
Versions affectées : >=3.0.0,<=3.0.51|>=2.0.0,<=2.0.53|>=0.0.11,<=1.0.28Versions patchées : 1.0.29 2.0.54 3.0.52
https://github.com/advisories/GHSA-3qpq-r242-jqj7
Signalée 05/05/2026
CVE-2026-44167
medium phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Versions affectées : >=3.0.0,<=3.0.53|>=2.0.0,<=2.0.54|>=0.1.1,<=1.0.29Versions patchées : 1.0.30 2.0.55 3.0.54
https://github.com/advisories/GHSA-m557-wrgg-6rp4
Signalée 16/06/2026
low phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
Versions affectées : >=3.0.0,<3.0.51|>=2.0.0,<2.0.53|<1.0.28Versions patchées : 1.0.28 2.0.53 3.0.51
https://github.com/advisories/GHSA-r854-jrxh-36qx
Signalée 10/04/2026
CVE-2026-40194
CVE-2026-45073: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45073
Signalée 20/05/2026
CVE-2026-45073
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45068
Signalée 20/05/2026
CVE-2026-45068
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45067
Signalée 20/05/2026
CVE-2026-45067
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45070
Signalée 20/05/2026
CVE-2026-45070
1 symfony/monolog-bridge —— v6.4.7 +
CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45077
Signalée 20/05/2026
CVE-2026-45077
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13Versions patchées :
https://symfony.com/cve-2026-48784
Signalée 26/05/2026
CVE-2026-48784
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45065
Signalée 20/05/2026
CVE-2026-45065
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45133
Signalée 20/05/2026
CVE-2026-45133
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45305
Signalée 20/05/2026
CVE-2026-45305
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Versions patchées :
https://symfony.com/cve-2026-45304
Signalée 20/05/2026
CVE-2026-45304
1 twig/intl-extra —— v3.10.0 +
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
Versions affectées : >=2.12.0,<3.0.0|>=3.0.0,<3.26.0Versions patchées :
https://symfony.com/cve-2026-46629
Signalée 20/05/2026
CVE-2026-46629
2 knplabs/knp-snappy —— v1.5.0 +
high Snappy: Binary path is never shell-escaped due to an inverted is_executable check
Versions affectées : <=1.7.0Versions patchées : 1.7.1
https://github.com/advisories/GHSA-vpr4-p6fq-85jc
Signalée 21/05/2026
CVE-2026-46643
medium Snappy : SSRF and local file read via the xsl-style-sheet option
Versions affectées : <=1.6.0Versions patchées : 1.7.0
https://github.com/advisories/GHSA-c5fp-p67m-gq56
Signalée 21/05/2026
CVE-2026-46683
1 symfony/polyfill-intl-idn —— v1.29.0 +
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
Versions affectées : >=1.17.1,<1.38.1Versions patchées :
https://symfony.com/cve-2026-46644
Signalée 26/05/2026
CVE-2026-46644
medium CRLF injection in HTTP start-line serialization
Versions affectées : <2.12.1Versions patchées : 2.12.1
https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432
Signalée 18/06/2026
CVE-2026-55766
medium guzzlehttp/psr7 has CRLF Injection via URI Host Component
Versions affectées : <2.10.2Versions patchées : 2.10.2
https://github.com/advisories/GHSA-hq7v-mx3g-29hw
Signalée 11/06/2026
CVE-2026-49214
medium guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
Versions affectées : <2.10.2Versions patchées : 2.10.2
https://github.com/advisories/GHSA-34xg-wgjx-8xph
Signalée 11/06/2026
CVE-2026-48998
2 guzzlehttp/guzzle —— 7.8.1 +
medium Dot-only cookie domains match all hosts
Versions affectées : <7.12.1Versions patchées : 7.12.1
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx
Signalée 18/06/2026
CVE-2026-55767
medium Silent HTTPS proxy downgrade to cleartext
Versions affectées : <7.12.1Versions patchées : 7.12.1
https://github.com/guzzle/guzzle/security/advisories/GHSA-wpwq-4j6v-78m3
Signalée 18/06/2026
CVE-2026-55568
Php/php
critical In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
* [https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv](https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)
Signalée 11/08/2023
CVE-2023-3824
critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)
Signalée 24/11/2024
CVE-2024-11236
critical In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)
* [https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html](https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html)
* [https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/](https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/)
* [https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/](https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/)
* [https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/](https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/)
* [https://github.com/11whoami99/CVE-2024-4577](https://github.com/11whoami99/CVE-2024-4577)
* [https://github.com/xcanwin/CVE-2024-4577-PHP-RCE](https://github.com/xcanwin/CVE-2024-4577-PHP-RCE)
* [https://github.com/rapid7/metasploit-framework/pull/19247](https://github.com/rapid7/metasploit-framework/pull/19247)
* [https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/)
* [https://github.com/watchtowrlabs/CVE-2024-4577](https://github.com/watchtowrlabs/CVE-2024-4577)
* [https://www.php.net/ChangeLog-8.php#8.1.29](https://www.php.net/ChangeLog-8.php#8.1.29)
* [https://www.php.net/ChangeLog-8.php#8.2.20](https://www.php.net/ChangeLog-8.php#8.2.20)
* [https://www.php.net/ChangeLog-8.php#8.3.8](https://www.php.net/ChangeLog-8.php#8.3.8)
* [https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately](https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately)
* [https://isc.sans.edu/diary/30994](https://isc.sans.edu/diary/30994)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240621-0008/](https://security.netapp.com/advisory/ntap-20240621-0008/)
Signalée 09/06/2024
CVE-2024-4577
critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)
Signalée 30/03/2025
CVE-2025-1861
critical In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
* [https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5](https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5)
Signalée 10/05/2026
CVE-2026-6722
high In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
* [https://bugs.php.net/bug.php?id=81746](https://bugs.php.net/bug.php?id=81746)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)
Signalée 16/02/2023
CVE-2023-0568
high In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
* [https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv](https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)
Signalée 16/02/2023
CVE-2023-0662
high In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
* [https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr](https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)
Signalée 11/08/2023
CVE-2023-3823
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)
Signalée 24/11/2024
CVE-2024-11233
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)
Signalée 24/11/2024
CVE-2024-11234
high In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-5585
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)
Signalée 08/10/2024
CVE-2024-8926
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)
Signalée 08/10/2024
CVE-2024-8927
high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7](https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7)
Signalée 27/12/2025
CVE-2025-14177
high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2](https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2)
Signalée 27/12/2025
CVE-2025-14178
high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
* [https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm](https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm)
Signalée 10/05/2026
CVE-2025-14179
high In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj](https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj)
Signalée 27/12/2025
CVE-2025-14180
high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)
Signalée 13/07/2025
CVE-2025-1735
high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)
Signalée 30/03/2025
CVE-2025-1736
high In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
* [https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv](https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv)
Signalée 10/05/2026
CVE-2026-6735
medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.
* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)
Signalée 13/06/2007
CVE-2007-3205
medium In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
* [https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4](https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4)
* [https://bugs.php.net/bug.php?id=81744](https://bugs.php.net/bug.php?id=81744)
Signalée 01/03/2023
CVE-2023-0567
medium In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.
* [https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw](https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw)
Signalée 22/07/2023
CVE-2023-3247
medium The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864](https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-2408
medium In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
* [https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html](https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html)
Signalée 09/06/2024
CVE-2024-5458
medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)
Signalée 08/10/2024
CVE-2024-8925
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
Signalée 30/03/2025
CVE-2025-1219
medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
Signalée 13/07/2025
CVE-2025-1220
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)
Signalée 30/03/2025
CVE-2025-1734
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
* [https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4](https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4)
Signalée 10/05/2026
CVE-2026-7258
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
* [https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q](https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q)
Signalée 10/05/2026
CVE-2026-7261
medium In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
* [https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57](https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57)
Signalée 10/05/2026
CVE-2026-7568
low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)
Signalée 08/10/2024
CVE-2024-9026
low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
Signalée 29/03/2025
CVE-2025-1217
low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
* [https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75](https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75)
Signalée 10/05/2026
CVE-2026-7259
low In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
* [https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv](https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv)
Signalée 10/05/2026
CVE-2026-7262
unassigned In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://security.netapp.com/advisory/ntap-20230223-0007/](https://security.netapp.com/advisory/ntap-20230223-0007/)
Signalée 12/02/2025
CVE-2022-31631
unassigned In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585](https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585)
Signalée 29/04/2024
CVE-2024-1874
unassigned In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
Signalée 29/04/2024
CVE-2024-3096
unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
Signalée 10/04/2024
CVE-2024-3566
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)
Signalée 22/11/2024
CVE-2024-8929
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)
Signalée 22/11/2024
CVE-2024-8932
unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
Signalée 13/07/2025
CVE-2025-6491
Apache/http_server
48 apache/http_server —— 2.4.58 +
critical Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38474
critical Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38476
critical Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/05/9](http://www.openwall.com/lists/oss-security/2026/05/05/9)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/05/2026
CVE-2026-28780
critical Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/4](http://www.openwall.com/lists/oss-security/2026/06/08/4)
* [http://www.openwall.com/lists/oss-security/2026/06/09/1](http://www.openwall.com/lists/oss-security/2026/06/09/1)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-29167
critical A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/8](http://www.openwall.com/lists/oss-security/2026/06/08/8)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-42535
critical Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/14](http://www.openwall.com/lists/oss-security/2026/06/08/14)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-44631
high HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/)
* [http://www.openwall.com/lists/oss-security/2024/04/04/4](http://www.openwall.com/lists/oss-security/2024/04/04/4)
* [http://www.openwall.com/lists/oss-security/2024/04/03/16](http://www.openwall.com/lists/oss-security/2024/04/03/16)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
Signalée 04/04/2024
CVE-2024-27316
high null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38477
high SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 18/07/2024
CVE-2024-40898
high An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/4](http://www.openwall.com/lists/oss-security/2025/12/04/4)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-55753
high Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/5](http://www.openwall.com/lists/oss-security/2025/12/04/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-58098
high Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/6](http://www.openwall.com/lists/oss-security/2025/12/04/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-59775
high An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/18](http://www.openwall.com/lists/oss-security/2026/05/04/18)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-24072
high Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/05/6](http://www.openwall.com/lists/oss-security/2026/05/05/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/05/2026
CVE-2026-29168
high A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
* [http://www.openwall.com/lists/oss-security/2026/05/04/20](http://www.openwall.com/lists/oss-security/2026/05/04/20)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-29169
high Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/17](http://www.openwall.com/lists/oss-security/2026/05/04/17)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-34059
high A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/6](http://www.openwall.com/lists/oss-security/2026/06/08/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-34355
high Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/7](http://www.openwall.com/lists/oss-security/2026/06/08/7)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-34356
high Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/9](http://www.openwall.com/lists/oss-security/2026/06/08/9)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-42536
high Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/12](http://www.openwall.com/lists/oss-security/2026/06/08/12)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-44185
high Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/13](http://www.openwall.com/lists/oss-security/2026/06/08/13)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-44186
high Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
* [http://www.openwall.com/lists/oss-security/2026/06/08/15](http://www.openwall.com/lists/oss-security/2026/06/08/15)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-48913
high Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
* [http://www.openwall.com/lists/oss-security/2026/06/03/3](http://www.openwall.com/lists/oss-security/2026/06/03/3)
* [http://www.openwall.com/lists/oss-security/2026/06/08/16](http://www.openwall.com/lists/oss-security/2026/06/08/16)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html](https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html)
Signalée 08/06/2026
CVE-2026-49975
medium Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/7](http://www.openwall.com/lists/oss-security/2025/12/04/7)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-65082
medium mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/8](http://www.openwall.com/lists/oss-security/2025/12/04/8)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-66200
medium A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/5](http://www.openwall.com/lists/oss-security/2026/06/08/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-29170
medium A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/21](http://www.openwall.com/lists/oss-security/2026/05/04/21)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-33006
medium A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/22](http://www.openwall.com/lists/oss-security/2026/05/04/22)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-33007
medium HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/23](http://www.openwall.com/lists/oss-security/2026/05/04/23)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-33523
medium Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/15](http://www.openwall.com/lists/oss-security/2026/05/04/15)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-33857
medium Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/05/04/16](http://www.openwall.com/lists/oss-security/2026/05/04/16)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 04/05/2026
CVE-2026-34032
medium Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
* [http://www.openwall.com/lists/oss-security/2026/06/08/10](http://www.openwall.com/lists/oss-security/2026/06/08/10)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-43951
medium Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2026/06/08/11](http://www.openwall.com/lists/oss-security/2026/06/08/11)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 08/06/2026
CVE-2026-44119
unassigned Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
Signalée 04/04/2024
CVE-2023-38709
unassigned HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/5](http://www.openwall.com/lists/oss-security/2024/04/04/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
Signalée 04/04/2024
CVE-2024-24795
unassigned Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
* [http://www.openwall.com/lists/oss-security/2024/07/01/4](http://www.openwall.com/lists/oss-security/2024/07/01/4)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-36387
unassigned SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/5](http://www.openwall.com/lists/oss-security/2024/07/01/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 01/07/2024
CVE-2024-38472
unassigned Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/6](http://www.openwall.com/lists/oss-security/2024/07/01/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 01/07/2024
CVE-2024-38473
unassigned Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
* [http://www.openwall.com/lists/oss-security/2024/07/01/8](http://www.openwall.com/lists/oss-security/2024/07/01/8)
* [https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf](https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227](https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227)
Signalée 01/07/2024
CVE-2024-38475
unassigned Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2024/07/01/11](http://www.openwall.com/lists/oss-security/2024/07/01/11)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-39573
unassigned HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-42516
unassigned SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-43204
unassigned Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-43394
unassigned Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-47252
unassigned In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-23048
unassigned In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-49630
unassigned In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-49812
unassigned Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-53020
1 paquets abandonnés ont été trouvés
| Paquet abandonné | Remplacement suggéré |
|---|---|
| php-http/message-factory | psr/http-factory |
Share
Badge
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)