PHP 8.2

Status Security onlySupport 2022-12 – 2026-12Latest 8.2.31Vulnerabilities 35← All PHP versions
Critical 9.8
2024-11-22< 8.2.26

OOB access in ldap_escape

CVE
Critical 9.8
2025-01-01< 8.2.28

Stream HTTP wrapper truncates redirect location to 1024 bytes

CVE
Critical 9.8
2024-11-24< 8.2.26

Integer overflow in the firebird and dblib quoters causing OOB writes

CVE
KEV
2024-06-09< 8.2.20

Argument Injection in PHP-CGI

CVE
Critical 9.8
2022-10-21< 8.2.0

XKCP: buffer overflow in the SHA-3 reference implementation

CVE
Critical 9.4
2024-04-29< 8.2.20

Command injection via array-ish $command parameter of proc_open()

CVE
Critical 9.4
2023-08-11< 8.2.9

Buffer overflow and overread in phar_dir_read()

CVE
Critical 9.1
2025-02-12< 8.2.1

PDO::quote() may return unquoted string

CVE
High 8.6
2023-08-11< 8.2.9

Security issue with external entity loading in XML without enabling it

CVE
High 8.1
2024-10-08< 8.2.24

PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

CVE
High 7.7
2024-06-09< 8.2.20

Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)

CVE
High 7.7
2023-02-16< 8.2.3

password_verify() always returns true for some invalid hashes

CVE
High 7.5
2025-12-27< 8.2.30

NULL Pointer Dereference in PDO quoting

CVE
High 7.5
2025-12-27< 8.2.30

Information Leak of Memory in getimagesize

CVE
High 7.5
2024-10-08< 8.2.24

cgi.force_redirect configuration is bypassable due to the environment variable collision

CVE
High 7.5
2023-02-16< 8.2.3

Array overrun in common path resolve code

CVE
High 7.5
2023-02-16< 8.2.3

DoS vulnerability when parsing multipart request body

CVE
High 7.3
2025-01-01< 8.2.28

Stream HTTP wrapper header check might omit basic auth header

CVE
Medium 6.5
2025-12-27< 8.2.30

Heap buffer overflow in array_merge()

CVE
Medium 6.5
2024-04-29< 8.2.18

PHP function password_verify can erroneously return true when argument contains NUL

CVE
Medium 5.9
2025-07-05< 8.2.29

NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix

CVE
Medium 5.9
2025-07-05< 8.2.29

pgsql extension does not check for errors during escaping

CVE
Medium 5.9
2024-06-09< 8.2.20

PHP is vulnerable to the Marvin Attack

CVE
Medium 5.8
2024-11-22< 8.2.26

Leak partial content of the heap through heap buffer over-read in mysqlnd

CVE
Medium 5.3
2025-01-01< 8.2.28

Streams HTTP wrapper does not fail for headers with invalid name and no colon

CVE
Medium 5.3
2025-01-01< 8.2.28

libxml streams use wrong content-type header when requesting a redirected resource

CVE
Medium 5.3
2024-06-09< 8.2.20

Filter bypass in filter_var (FILTER_VALIDATE_URL)

CVE
Medium 4.8
2024-11-24< 8.2.26

Configuring a proxy in a stream context might allow for CRLF injection in URIs

CVE
Medium 4.8
2024-11-24< 8.2.26

Single byte overread with convert.quoted-printable-decode filter

CVE
Low 3.7
2025-07-13< 8.2.29

Null byte termination in hostnames

CVE
Low 3.3
2024-10-08< 8.2.24

PHP-FPM logs from children may be altered

CVE
Low 3.1
2025-01-01< 8.2.28

Header parser of http stream wrapper does not handle folded headers

CVE
Low 3.1
2024-10-08< 8.2.24

Erroneous parsing of multipart form data

CVE
Low 2.6
2023-07-22< 8.2.7

Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP

CVE
N/A
2024-04-29< 8.2.18

CVE