Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
PHP Number Of NVD 699 CRITICAL 123 HIGH 261 MEDIUM 289 LOW 26
URL https://www.php.net/
Explanation It is an open source programming language used around the world as a development language for web applications.
It is developed by "The PHP Group" and is used in many open source web applications such as WordPress and Xoops.
Today, it can be used as a general-purpose scripting language for applications other than web applications.
It is a popular language among programming beginners because it is easy to learn.

It has become one of the open source combinations called LAMP (Linux, Apache, MySQL [MariaDB], PHP).
Add Information URL
No Type Name URL
1 https://www.php.net/supported-versions.php
2 https://www.php.net/downloads.php
3 https://www.php.net/eol.php
4 https://github.com/php/php-src
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
1 PHP8.3 8.3.28 Nov. 20, 2025 June 6, 2024 Dec. 31, 2025 Dec. 31, 2027 5 6 4 0
2 PHP8.2 8.2.29 July 3, 2025 Dec. 8, 2022 Dec. 31, 2024 Dec. 31, 2026 6 9 6 0
3 PHP8.1 8.1.33 July 3, 2025 Nov. 25, 2021 Nov. 25, 2023 Nov. 25, 2024 6 10 6 0
4 PHP8.0 8.0.30 Aug. 3, 2023 Nov. 26, 2020 Nov. 26, 2022 Nov. 26, 2023 6 9 11 0
5 PHP7.4 7.4.33 Nov. 3, 2022 Nov. 28, 2019 Nov. 28, 2021 Nov. 28, 2022 9 10 19 1
6 PHP7.3 7.3.33 Nov. 18, 2021 Dec. 6, 2018 Dec. 6, 2020 Dec. 6, 2021 19 17 21 1
7 PHP7.2 7.2.34 Oct. 1, 2020 Nov. 30, 2017 Nov. 30, 2019 Nov. 30, 2020 20 21 21 1
8 PHP7.1 7.1.33 Dec. 1, 2019 Dec. 1, 2016 Dec. 1, 2018 Dec. 1, 2019 30 36 10 0
9 PHP7.0 7.0.33 Dec. 6, 2018 Dec. 3, 2015 Dec. 3, 2017 Dec. 3, 2018 76 60 14 0
10 PHP5.6 5.6.40 Dec. 31, 2018 Aug. 28, 2014 Jan. 19, 2017 Dec. 31, 2018 77 95 41 1
11 PHP6.0 6.0 Jan. 1, 2000 4 8 5 0
12 PHP5.6 5.6.9 Jan. 1, 2000 77 95 41 1
13 PHP5.5 5.5.9 Jan. 1, 2000 72 98 67 3
14 PHP5.4 5.4.9 Jan. 1, 2000 61 103 74 4
15 PHP5.3 5.3.9 Jan. 1, 2000 62 110 134 4
16 PHP5.2 5.2.9 Jan. 1, 2000 63 156 184 7
17 PHP5.1 5.1.6 Jan. 1, 2000 63 150 150 19
18 PHP5.0 5.0.5 Jan. 1, 2000 63 154 157 14
19 PHP4.4 4.4.9 Jan. 1, 2000 62 149 164 20
20 PHP4.3 4.3.9 Jan. 1, 2000 62 158 164 15
21 PHP4.2 4.2.4 Jan. 1, 2000 62 157 166 15
22 PHP4.1 4.1.3 Jan. 1, 2000 62 159 163 15
23 PHP4.0 4.0.7 Jan. 1, 2000 62 161 168 17
24 PHP3.0 3.0.9 Jan. 1, 2000 61 136 140 6
25 PHP2.0b10 2.0b10 Jan. 1, 2000 61 124 132 6
26 PHP2.0 2.0.2 Jan. 1, 2000 61 124 132 6
27 PHP1.5 1.5 Jan. 1, 2000 61 120 131 6
28 PHP1.4 1.4 Jan. 1, 2000 61 120 131 6
29 PHP1.3 1.3.5 Jan. 1, 2000 61 120 131 6
30 PHP1.2 1.2.5 Jan. 1, 2000 61 120 131 6
31 PHP1.1 1.1.1 Jan. 1, 2000 61 120 131 6
32 PHP1.0 1.0.4 Jan. 1, 2000 61 124 132 6
33 PHP0.91 0.91 Jan. 1, 2000 61 120 131 6
34 PHP0.90 0.90 Jan. 1, 2000 61 120 131 6
35 PHP0.9 0.9.4 Jan. 1, 2000 61 120 131 6
36 PHP0.7 0.7 Jan. 1, 2000 61 120 131 6
37 PHP0.6 0.6 Jan. 1, 2000 61 120 131 6
38 PHP0.5 0.5.3 Jan. 1, 2000 61 120 131 6
39 PHP0.4 0.4 Jan. 1, 2000 61 120 131 6
40 PHP0.3 0.3 Jan. 1, 2000 61 120 131 6
41 PHP0.2 0.2.4 Jan. 1, 2000 61 120 131 6
42 PHP0.11 0.11 Jan. 1, 2000 61 120 131 6
43 PHP0.10 0.10 Jan. 1, 2000 61 120 131 6
44 PHP0.1 0.1.1 Jan. 1, 2000 61 120 131 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
1 7.5
- 		HIGH
Network 		In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML docu… CWE-404
CWE-835
 Improper Resource Shutdown or Release
 Loop with Unreachable Exit Condition ('Infinite Loop') 		CVE-2026-7263 cpe:2.3:a:php:php:*:* 8.4.0
8.5.0

8.4.21
8.5.6 		2026-05-13 02:35
2026-05-10 		Show GitHub Exploit DB Packet Storm
2 9.1
- 		CRITICAL
Network 		In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectl… CWE-125
Out-of-bounds Read 		CVE-2026-6104 cpe:2.3:a:php:php:*:* 8.4.0
8.5.0

8.4.21
8.5.6 		2026-05-13 02:35
2026-05-10 		Show GitHub Exploit DB Packet Storm
3 7.5
- 		HIGH
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the cur… CWE-125
CWE-190
Out-of-bounds Read
 Integer Overflow or Wraparound 		CVE-2026-7568 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:38
2026-05-10 		Show GitHub Exploit DB Packet Storm
4 7.5
- 		HIGH
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which check… CWE-476
 NULL Pointer Dereference 		CVE-2026-7262 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:39
2026-05-10 		Show GitHub Exploit DB Packet Storm
5 9.8
- 		CRITICAL
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted acr… CWE-416
 Use After Free 		CVE-2026-7261 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:40
2026-05-10 		Show GitHub Exploit DB Packet Storm
6 6.5
- 		MEDIUM
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, re… CWE-476
 NULL Pointer Dereference 		CVE-2026-7259 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:40
2026-05-10 		Show GitHub Exploit DB Packet Storm
7 7.5
- 		HIGH
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On… CWE-125
Out-of-bounds Read 		CVE-2026-7258 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.21
8.3.31
8.4.21
8.5.6 		2026-05-13 02:41
2026-05-10 		Show GitHub Exploit DB Packet Storm
8 6.1
- 		MEDIUM
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause t… CWE-79
Cross-site Scripting 		CVE-2026-6735 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:43
2026-05-10 		Show GitHub Exploit DB Packet Storm
9 9.8
- 		CRITICAL
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global m… CWE-416
 Use After Free 		CVE-2026-6722 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:48
2026-05-10 		Show GitHub Exploit DB Packet Storm
10 9.8
- 		CRITICAL
Network 		In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by… CWE-89
SQL Injection 		CVE-2025-14179 cpe:2.3:a:php:php:*:* 8.2.0
8.3.0
8.4.0
8.5.0





8.2.31
8.3.31
8.4.21
8.5.6 		2026-05-13 02:48
2026-05-10 		Show GitHub Exploit DB Packet Storm