PHP 7.4

Status EOLSupport 2019-11 – 2022-11Latest 7.4.33Vulnerabilities 40← All PHP versions
KEV Unfixed
2024-06-09≤ 7.4.33

Argument Injection in PHP-CGI

CVE
Critical 9.8
2017-05-12< 7.4.24

php: Overflowing the length of string causes crash

CVE
Critical 9.8
2018-08-02< 7.4.23

php: Integer overflow in mysqli_api.c:mysqli_real_escape_string()

CVE
Critical 9.8
2022-10-21< 7.4.33

XKCP: buffer overflow in the SHA-3 reference implementation

CVE
High 8.2
2022-02-27< 7.4.28

UAF due to php_filter_float() failing

CVE
High 8.1
2022-06-16< 7.4.30

Freeing unallocated memory in php_pgsql_free_params()

CVE
High 7.8
2021-10-25< 7.4.25

PHP-FPM memory access in root process leading to privilege escalation

CVE
High 7.5
2018-08-02< 7.4.27

php: Out of bounds access in php_pcre.c:php_pcre_replace_impl()

CVE
High 7.5
2020-02-27< 7.4.3

Null Pointer Dereference in PHP Session Upload Progress

CVE
High 7.5
2020-04-27< 7.4.5

OOB Read in urldecode()

CVE
High 7.5
2022-06-16< 7.4.30

mysqlnd/pdo password buffer overflow

CVE
High 7.4
2020-04-01< 7.4.4

mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full

CVE
High 7.1
2019-08-09< 7.4.0

heap-buffer-overflow on exif_scan_thumbnail in EXIF extension

CVE
High 7.1
2019-08-09< 7.4.0

heap-buffer-overflow on exif_process_user_comment in EXIF extension

CVE
Medium 6.5
2019-12-23< 7.4.1

mail() may release string with refcount==1 twice

CVE
Medium 6.5
2020-02-10< 7.4.2

OOB read in php_strip_tags_ex

CVE
Medium 6.5
2020-02-10< 7.4.2

global buffer-overflow in mbfl_filt_conv_big5_wchar

CVE
Medium 6.5
2020-02-27< 7.4.3

heap-buffer-overflow in phar_extract_file

CVE
Medium 6.5
2020-04-01< 7.4.4

Use-of-uninitialized-value in exif

CVE
Medium 6.5
2022-09-28< 7.4.31

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

CVE
Medium 6.5
2022-11-14< 7.4.33

OOB read due to insufficient input validation in imageloadfont()

CVE
Medium 5.5
2020-02-27< 7.4.3

Files added to tar with Phar::buildFromIterator have all-access permissions

CVE
Medium 5.4
2020-10-02< 7.4.11

Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV

CVE
Medium 5.3 Unfixed
2024-06-09≥ 7.4.15 and ≤ 7.4.33

Filter bypass in filter_var (FILTER_VALIDATE_URL)

CVE
Medium 5.3
2020-05-20< 7.4.6

Temporary files are not cleaned after OOM when parsing HTTP request data

CVE
Medium 5.3
2020-04-01< 7.4.4

get_headers() silently truncates after a null byte

CVE
Medium 5.3
2021-02-15< 7.4.14

FILTER_VALIDATE_URL accepts URLs with invalid userinfo

CVE
Medium 5.3
2021-02-15< 7.4.15

Null Dereference in SoapClient

CVE
Medium 5.3
2021-10-04< 7.4.24

ZipArchive::extractTo may extract outside of destination dir

CVE
Medium 5.3
2021-11-29< 7.4.26

Special characters break path parsing in XML functions

CVE
Medium 5.0
2021-10-04< 7.4.21

Multiple vulnerabilities in Firebird client extension

CVE
Medium 4.8
2019-12-23< 7.4.1

Heap-buffer-overflow READ in exif

CVE
Medium 4.8
2019-12-23< 7.4.1

Use-after-free in exif parsing under memory sanitizer

CVE
Medium 4.8
2020-09-09< 7.4.9

Use of freed hash key in the phar_parse_zipfile function

CVE
Medium 4.3
2020-10-02< 7.4.11

PHP parses encoded cookie names so malicious `__Host-` cookies can be sent

CVE
Medium 4.3
2021-10-04< 7.4.21

Incorrect URL validation in FILTER_VALIDATE_URL

CVE
Low 3.7
2019-12-23< 7.4.1

link() silently truncates after a null byte on Windows

CVE
Low 3.7
2019-12-23< 7.4.1

DirectoryIterator class silently truncates after a null byte

CVE
Low 3.7
2019-12-23< 7.4.1

Buffer underflow in bc_shift_addsub

CVE
Low 2.3
2022-09-28< 7.4.32

phar wrapper can occur dos when using quine gzip file

CVE