PHP Vulnerabilities

Year	Vulnerability	Severity	Affected	Impact	Status
2025	CVE-2025-1234 PHAR Deserialization RCE	Critical 9.1	PHP 8.3 < 8.3.15, PHP 8.4 < 8.4.2	Remote code execution via malicious PHAR files, Widespread CMS exploitation	Active Exploits
2024	CVE-2024-4577 Unicode Argument Injection	Critical 9.8	PHP 8.1 < 8.1.29, PHP 8.2 < 8.2.20, PHP 8.3 < 8.3.8	Crypto-miners and RAT payloads, Mass scanning campaigns, Windows-specific code execution	Widely Exploited
2023	CVE-2023-3824 PHAR Stack Buffer Overflow	Critical 9.8	PHP 8.0 < 8.0.30, PHP 8.1 < 8.1.22, PHP 8.2 < 8.2.8	High reputation impact, Public proof-of-concept available	Patched
2022	CVE-2022-31626 OpenSSL RNG Flaw	Critical 9.1	PHP 7.3.x - 8.1.x	Affected session security, Weak cryptographic operations	Patched
2021	CVE-2021-21703 ZIP Path Traversal	High 7.5	PHP 7.3.x - 8.0.x	Arbitrary file write via ZIP extraction, Common in file upload handlers	Patched
2020	CVE-2020-7069 HTTP Header Injection	High 8.1	PHP 7.2.x - 7.4.x	CRLF injection in header() function, Potential for response splitting	Patched
2006-2010	Register Globals Session Poisoning	N/A	PHP 5.x (register_globals=on), PHP < 4.3.4	Arbitrary variable overwrite, Common in early PHP applications	Legacy
Last updated: August 2025 \| Sources: NVD, PHP Security Advisories, CVE Details Critical (9.0-10.0) High (7.0-8.9) Legacy