[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIk0F-t7KCkgR8n41V9i92RwgmWwxqD_gr_-H7IxhEUs":3},{"product":4,"cycleMajor":14,"releases":15,"cves":61,"nextMajor":9},{"id":5,"slug":6,"name":7,"category":8,"vendor":9,"description":10,"logo_url":11,"official_url":9,"synced_at":12,"created_at":13},"26c73c6a-811e-4bd5-95d4-38212db95e60","php","PHP","language",null,"PHP is a general-purpose scripting language geared towards web development. It was created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by the PHP Group.","https:\u002F\u002Fcdn.simpleicons.org\u002Fphp","2026-06-09T20:02:18.513+00:00","2026-05-30T16:23:55.974439+00:00","8",[16,26,33,40,46,53],{"id":17,"product_id":5,"cycle":18,"release_date":19,"eol":20,"eol_boolean":9,"latest":21,"latest_release_date":22,"lts":23,"support":24,"created_at":25},"e723be69-a193-4986-a8be-eba61554abc1","8.5","2025-11-20","2029-12-31","8.5.7","2026-06-04",false,"2027-12-31","2026-05-30T16:24:59.546709+00:00",{"id":27,"product_id":5,"cycle":28,"release_date":29,"eol":30,"eol_boolean":9,"latest":31,"latest_release_date":22,"lts":23,"support":32,"created_at":25},"91a6f665-7f10-439e-b9b1-fc4564ba3374","8.4","2024-11-21","2028-12-31","8.4.22","2026-12-31",{"id":34,"product_id":5,"cycle":35,"release_date":36,"eol":24,"eol_boolean":9,"latest":37,"latest_release_date":38,"lts":23,"support":39,"created_at":25},"887a86d2-237f-4a11-9fba-fc2c2e043f17","8.3","2023-11-23","8.3.31","2026-05-07","2025-12-31",{"id":41,"product_id":5,"cycle":42,"release_date":43,"eol":32,"eol_boolean":9,"latest":44,"latest_release_date":38,"lts":23,"support":45,"created_at":25},"e9f74156-6bcb-4d73-b378-87cbc4e9510e","8.2","2022-12-08","8.2.31","2024-12-31",{"id":47,"product_id":5,"cycle":48,"release_date":49,"eol":39,"eol_boolean":9,"latest":50,"latest_release_date":51,"lts":23,"support":52,"created_at":25},"b4c31401-63d0-4872-9774-983e4ac281d5","8.1","2021-11-25","8.1.34","2025-12-18","2023-11-25",{"id":54,"product_id":5,"cycle":55,"release_date":56,"eol":57,"eol_boolean":9,"latest":58,"latest_release_date":59,"lts":23,"support":60,"created_at":25},"72df98e6-07f3-4ebd-b7a9-73f3e034272d","8.0","2020-11-26","2023-11-26","8.0.30","2023-08-03","2022-11-26",[62,70,71,77,78,79,85,86,87,88,89,90,91,98,99,107,108,109,110,116,117,123,124,125,126,132,133,134,135,143,144,145,146,153,154,155],{"cveId":63,"releaseId":41,"cycle":42,"description":64,"severity":65,"cvssScore":66,"epssScore":67,"inKev":23,"publishedAt":68,"url":69},"CVE-2025-14179","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quo","CRITICAL",9.8,0.00069,"2026-05-10T05:16:09.853+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2025-14179",{"cveId":63,"releaseId":27,"cycle":28,"description":64,"severity":65,"cvssScore":66,"epssScore":67,"inKev":23,"publishedAt":68,"url":69},{"cveId":72,"releaseId":34,"cycle":35,"description":73,"severity":65,"cvssScore":66,"epssScore":74,"inKev":23,"publishedAt":75,"url":76},"CVE-2026-7261","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process cra",0.00096,"2026-05-10T05:16:11.64+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7261",{"cveId":72,"releaseId":41,"cycle":42,"description":73,"severity":65,"cvssScore":66,"epssScore":74,"inKev":23,"publishedAt":75,"url":76},{"cveId":63,"releaseId":17,"cycle":18,"description":64,"severity":65,"cvssScore":66,"epssScore":67,"inKev":23,"publishedAt":68,"url":69},{"cveId":80,"releaseId":41,"cycle":42,"description":81,"severity":65,"cvssScore":66,"epssScore":82,"inKev":23,"publishedAt":83,"url":84},"CVE-2026-6722","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can ",0.00369,"2026-05-10T05:16:11.07+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-6722",{"cveId":80,"releaseId":34,"cycle":35,"description":81,"severity":65,"cvssScore":66,"epssScore":82,"inKev":23,"publishedAt":83,"url":84},{"cveId":80,"releaseId":27,"cycle":28,"description":81,"severity":65,"cvssScore":66,"epssScore":82,"inKev":23,"publishedAt":83,"url":84},{"cveId":80,"releaseId":17,"cycle":18,"description":81,"severity":65,"cvssScore":66,"epssScore":82,"inKev":23,"publishedAt":83,"url":84},{"cveId":72,"releaseId":27,"cycle":28,"description":73,"severity":65,"cvssScore":66,"epssScore":74,"inKev":23,"publishedAt":75,"url":76},{"cveId":63,"releaseId":34,"cycle":35,"description":64,"severity":65,"cvssScore":66,"epssScore":67,"inKev":23,"publishedAt":68,"url":69},{"cveId":72,"releaseId":17,"cycle":18,"description":73,"severity":65,"cvssScore":66,"epssScore":74,"inKev":23,"publishedAt":75,"url":76},{"cveId":92,"releaseId":17,"cycle":18,"description":93,"severity":65,"cvssScore":94,"epssScore":95,"inKev":23,"publishedAt":96,"url":97},"CVE-2026-6104","In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), ",9.1,0.00026,"2026-05-10T06:16:07.397+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-6104",{"cveId":92,"releaseId":27,"cycle":28,"description":93,"severity":65,"cvssScore":94,"epssScore":95,"inKev":23,"publishedAt":96,"url":97},{"cveId":100,"releaseId":34,"cycle":35,"description":101,"severity":102,"cvssScore":103,"epssScore":104,"inKev":23,"publishedAt":105,"url":106},"CVE-2026-7258","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.","HIGH",7.5,0.00027,"2026-05-10T05:16:11.36+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7258",{"cveId":100,"releaseId":41,"cycle":42,"description":101,"severity":102,"cvssScore":103,"epssScore":104,"inKev":23,"publishedAt":105,"url":106},{"cveId":100,"releaseId":27,"cycle":28,"description":101,"severity":102,"cvssScore":103,"epssScore":104,"inKev":23,"publishedAt":105,"url":106},{"cveId":100,"releaseId":17,"cycle":18,"description":101,"severity":102,"cvssScore":103,"epssScore":104,"inKev":23,"publishedAt":105,"url":106},{"cveId":111,"releaseId":27,"cycle":28,"description":112,"severity":102,"cvssScore":103,"epssScore":113,"inKev":23,"publishedAt":114,"url":115},"CVE-2026-7262","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.",0.00123,"2026-05-10T05:16:11.78+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7262",{"cveId":111,"releaseId":17,"cycle":18,"description":112,"severity":102,"cvssScore":103,"epssScore":113,"inKev":23,"publishedAt":114,"url":115},{"cveId":118,"releaseId":41,"cycle":42,"description":119,"severity":102,"cvssScore":103,"epssScore":120,"inKev":23,"publishedAt":121,"url":122},"CVE-2026-7568","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext\u002Fstandard\u002Fmetaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the P",0.0009,"2026-05-10T05:16:11.92+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7568",{"cveId":118,"releaseId":34,"cycle":35,"description":119,"severity":102,"cvssScore":103,"epssScore":120,"inKev":23,"publishedAt":121,"url":122},{"cveId":118,"releaseId":27,"cycle":28,"description":119,"severity":102,"cvssScore":103,"epssScore":120,"inKev":23,"publishedAt":121,"url":122},{"cveId":118,"releaseId":17,"cycle":18,"description":119,"severity":102,"cvssScore":103,"epssScore":120,"inKev":23,"publishedAt":121,"url":122},{"cveId":127,"releaseId":27,"cycle":28,"description":128,"severity":102,"cvssScore":103,"epssScore":129,"inKev":23,"publishedAt":130,"url":131},"CVE-2026-7263","In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.",0.0005,"2026-05-10T06:16:08.343+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7263",{"cveId":127,"releaseId":17,"cycle":18,"description":128,"severity":102,"cvssScore":103,"epssScore":129,"inKev":23,"publishedAt":130,"url":131},{"cveId":111,"releaseId":41,"cycle":42,"description":112,"severity":102,"cvssScore":103,"epssScore":113,"inKev":23,"publishedAt":114,"url":115},{"cveId":111,"releaseId":34,"cycle":35,"description":112,"severity":102,"cvssScore":103,"epssScore":113,"inKev":23,"publishedAt":114,"url":115},{"cveId":136,"releaseId":27,"cycle":28,"description":137,"severity":138,"cvssScore":139,"epssScore":140,"inKev":23,"publishedAt":141,"url":142},"CVE-2026-7259","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().","MEDIUM",6.5,0.00084,"2026-05-10T05:16:11.507+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-7259",{"cveId":136,"releaseId":17,"cycle":18,"description":137,"severity":138,"cvssScore":139,"epssScore":140,"inKev":23,"publishedAt":141,"url":142},{"cveId":136,"releaseId":34,"cycle":35,"description":137,"severity":138,"cvssScore":139,"epssScore":140,"inKev":23,"publishedAt":141,"url":142},{"cveId":136,"releaseId":41,"cycle":42,"description":137,"severity":138,"cvssScore":139,"epssScore":140,"inKev":23,"publishedAt":141,"url":142},{"cveId":147,"releaseId":17,"cycle":18,"description":148,"severity":138,"cvssScore":149,"epssScore":150,"inKev":23,"publishedAt":151,"url":152},"CVE-2026-6735","In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.",6.1,0.00076,"2026-05-10T05:16:11.213+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-6735",{"cveId":147,"releaseId":27,"cycle":28,"description":148,"severity":138,"cvssScore":149,"epssScore":150,"inKev":23,"publishedAt":151,"url":152},{"cveId":147,"releaseId":34,"cycle":35,"description":148,"severity":138,"cvssScore":149,"epssScore":150,"inKev":23,"publishedAt":151,"url":152},{"cveId":147,"releaseId":41,"cycle":42,"description":148,"severity":138,"cvssScore":149,"epssScore":150,"inKev":23,"publishedAt":151,"url":152}]