PHP 5.4 reached end-of-life in 2014, yet nearly 300 websites still run this outdated version. With 129 documented vulnerabilities—including 18 critical flaws that enable remote code execution—continuing to use PHP 5.4 puts your website at severe risk of compromise, data theft, and complete system takeover.
This comprehensive guide will help you understand the specific threats facing PHP 5.4 installations, identify whether your website is vulnerable, and implement a secure upgrade strategy. Taking action now is not optional; it's essential for protecting your business, users, and reputation.
Don't become another casualty of outdated software. Our security experts have compiled everything you need to modernize your PHP infrastructure and eliminate these critical attack vectors.
PHP 5.4 is a server-side programming language released in 2012 that powers the backend functionality of websites. If your website runs on PHP, it's the engine that processes user requests, manages databases, handles logins, and delivers dynamic content to visitors. PHP 5.4 was a popular version when released, offering improved performance and new features compared to earlier versions.
However, PHP 5.4 is now ancient by technology standards—officially unsupported since 2014. This means the PHP development team no longer releases security patches or fixes for new vulnerabilities discovered in this version. Every newly discovered threat affecting PHP 5.4 will never be patched, leaving your website permanently exposed to attackers who actively exploit these known weaknesses.
129 CVEs found. The most critical are explained below.
Attackers can trick your PHP website into running malicious code by sending specially crafted requests through the address bar. This happens because PHP doesn't properly check what's being requested when using CGI mode.
Impact: Hackers could take complete control of your website, steal customer data, install malware, or shut down your site entirely.
↗ View on NVDIf your website uses SOAP (a web service protocol), attackers can send malformed data that exposes sensitive information or crashes your application. This is caused by improper handling of unexpected data types.
Impact: Your website could reveal private information, stop working temporarily, or allow attackers to run malicious code.
↗ View on NVDSimilar to CVE-2015-4599, this vulnerability affects websites using SOAP services. Attackers exploit confusion about data types to crash your site or potentially execute code.
Impact: Service outages, system crashes, or potential unauthorized code execution on your server.
↗ View on NVDPHP's way of handling incomplete classes has a flaw where unexpected data types can cause crashes or code execution. Attackers can send malicious input to trigger this vulnerability.
Impact: Your website could crash unexpectedly or allow remote code execution by attackers.
↗ View on NVDA function that displays error traces has a vulnerability where unusual data types can be exploited. Attackers can use this to run their own code on your server.
Impact: Complete compromise of your website and server, allowing attackers to access, modify, or delete all data.
↗ View on NVDIf your website is hosted on Windows servers, attackers can send specially crafted text that tricks PHP into running system commands. This exploits a weakness in how PHP escapes command arguments.
Impact: Attackers could execute operating system commands on your server, giving them full control of your system.
↗ View on NVDShowing first 10 of 123. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2015-4643 | CRITICAL | 9.8 | 2016-05-16 | Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary cod… |
| CVE-2015-5589 | CRITICAL | 9.8 | 2016-05-16 | The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close ope… |
| CVE-2015-6834 | CRITICAL | 9.8 | 2016-05-16 | Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to … |
| CVE-2015-6835 | CRITICAL | 9.8 | 2016-05-16 | The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute … |
| CVE-2015-8835 | CRITICAL | 9.8 | 2016-05-16 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote … |
| CVE-2015-8876 | CRITICAL | 9.8 | 2016-05-22 | Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a den… |
| CVE-2014-9912 | CRITICAL | 9.8 | 2017-01-04 | The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to … |
| CVE-2013-3214 | CRITICAL | 9.8 | 2020-01-28 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. |
| CVE-2020-10806 | CRITICAL | 9.8 | 2020-03-22 | eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow re… |
| CVE-2020-16629 | CRITICAL | 9.8 | 2021-02-08 | PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a P… |
| CVE-2026-4001 | CRITICAL | 9.8 | 2026-03-24 | The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula ev… |
| CVE-2025-26909 | CRITICAL | 9.6 | 2025-03-27 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows PHP Local F… |
| CVE-2012-2376 | HIGH | 10.0 | 2012-05-21 | Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorre… |
| CVE-2012-2688 | HIGH | 10.0 | 2012-07-20 | Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors… |
| CVE-2015-6497 | HIGH | 8.8 | 2020-01-15 | The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used … |
| CVE-2013-3591 | HIGH | 8.8 | 2020-02-07 | vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability |
| CVE-2021-27230 | HIGH | 8.8 | 2021-03-15 | ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under … |
| CVE-2021-47735 | HIGH | 8.8 | 2025-12-23 | CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit … |
| CVE-2024-45398 | HIGH | 8.3 | 2024-09-17 | Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to … |
| CVE-2016-3171 | HIGH | 8.1 | 2016-04-12 | Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related t… |
| CVE-2016-6174 | HIGH | 8.1 | 2016-07-12 | applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP… |
| CVE-2024-4441 | HIGH | 8.1 | 2024-05-14 | The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possib… |
| CVE-2021-47734 | HIGH | 7.8 | 2025-12-23 | CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can le… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2012-2311 | HIGH | 7.5 | 2012-05-11 | sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence … |
| CVE-2012-2335 | HIGH | 7.5 | 2012-05-11 | php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code… |
| CVE-2012-2386 | HIGH | 7.5 | 2012-07-07 | Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service… |
| CVE-2013-1635 | HIGH | 7.5 | 2013-03-06 | ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which all… |
| CVE-2013-3735 | HIGH | 7.5 | 2013-05-31 | The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a de… |
| CVE-2013-6420 | HIGH | 7.5 | 2013-12-17 | The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter … |
| CVE-2014-3515 | HIGH | 7.5 | 2014-07-09 | The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allo… |
| CVE-2014-3669 | HIGH | 7.5 | 2014-10-29 | Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to caus… |
| CVE-2014-8142 | HIGH | 7.5 | 2014-12-20 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remot… |
| CVE-2014-9427 | HIGH | 7.5 | 2015-01-03 | sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider th… |
| CVE-2015-0231 | HIGH | 7.5 | 2015-01-27 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remot… |
| CVE-2014-9653 | HIGH | 7.5 | 2015-03-30 | readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes re… |
| CVE-2014-9705 | HIGH | 7.5 | 2015-03-30 | Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote att… |
| CVE-2015-0273 | HIGH | 7.5 | 2015-03-30 | Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code v… |
| CVE-2015-2331 | HIGH | 7.5 | 2015-03-30 | Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x befo… |
| CVE-2015-2787 | HIGH | 7.5 | 2015-03-30 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remot… |
| CVE-2015-3307 | HIGH | 7.5 | 2015-06-09 | The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap me… |
| CVE-2015-3329 | HIGH | 7.5 | 2015-06-09 | Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to… |
| CVE-2015-4022 | HIGH | 7.5 | 2015-06-09 | Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code… |
| CVE-2015-4025 | HIGH | 7.5 | 2015-06-09 | PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypa… |
| CVE-2015-4026 | HIGH | 7.5 | 2015-06-09 | The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote a… |
| CVE-2015-4147 | HIGH | 7.5 | 2015-06-09 | The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows… |
| CVE-2015-6833 | HIGH | 7.5 | 2016-01-19 | Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via … |
| CVE-2015-4604 | HIGH | 7.5 | 2016-05-16 | The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a cer… |
| CVE-2015-4605 | HIGH | 7.5 | 2016-05-16 | The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a ce… |
| CVE-2015-4644 | HIGH | 7.5 | 2016-05-16 | The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extr… |
| CVE-2015-6837 | HIGH | 7.5 | 2016-05-16 | The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consid… |
| CVE-2015-6838 | HIGH | 7.5 | 2016-05-16 | The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consid… |
| CVE-2015-8873 | HIGH | 7.5 | 2016-05-16 | Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (… |
| CVE-2015-8867 | HIGH | 7.5 | 2016-05-22 | The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseu… |
| CVE-2010-4657 | HIGH | 7.5 | 2019-11-13 | PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting out… |
| CVE-2024-51996 | HIGH | 7.5 | 2024-11-13 | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the … |
| CVE-2026-25892 | HIGH | 7.5 | 2026-02-09 | Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessag… |
| CVE-2026-24891 | HIGH | 7.5 | 2026-02-20 | openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserializati… |
| CVE-2016-3167 | HIGH | 7.4 | 2016-04-12 | Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web site… |
| CVE-2015-5590 | HIGH | 7.3 | 2016-01-19 | Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to caus… |
| CVE-2015-6831 | HIGH | 7.3 | 2016-01-19 | Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors invo… |
| CVE-2015-6832 | HIGH | 7.3 | 2016-01-19 | Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attacker… |
| CVE-2015-6836 | HIGH | 7.3 | 2016-01-19 | The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers … |
| CVE-2024-50340 | HIGH | 7.3 | 2024-11-06 | symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` … |
| CVE-2025-64500 | HIGH | 7.3 | 2025-11-12 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP … |
| CVE-2014-0185 | HIGH | 7.2 | 2014-05-06 | sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to ga… |
| CVE-2016-3185 | HIGH | 7.1 | 2016-05-16 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain s… |
| CVE-2014-3597 | MEDIUM | 6.8 | 2014-08-23 | Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (app… |
| CVE-2014-3670 | MEDIUM | 6.8 | 2014-10-29 | The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, w… |
| CVE-2015-0232 | MEDIUM | 6.8 | 2015-01-27 | The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a… |
| CVE-2015-3330 | MEDIUM | 6.8 | 2015-06-09 | The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows… |
| CVE-2025-68129 | MEDIUM | 6.8 | 2025-12-17 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly… |
| CVE-2014-0207 | MEDIUM | 6.5 | 2014-07-09 | The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a… |
| CVE-2014-3478 | MEDIUM | 6.5 | 2014-07-09 | Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attacker… |
| CVE-2014-3480 | MEDIUM | 6.5 | 2014-07-09 | The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count … |
| CVE-2015-3411 | MEDIUM | 6.5 | 2016-05-16 | PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary … |
| CVE-2015-4598 | MEDIUM | 6.5 | 2016-05-16 | PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary… |
| CVE-2023-46733 | MEDIUM | 6.5 | 2023-11-10 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `Se… |
| CVE-2011-4566 | MEDIUM | 6.4 | 2011-11-29 | Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitra… |
| CVE-2014-5120 | MEDIUM | 6.4 | 2014-08-23 | gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite … |
| CVE-2024-2203 | MEDIUM | 6.4 | 2024-03-27 | The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it poss… |
| CVE-2024-2210 | MEDIUM | 6.4 | 2024-03-27 | The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This m… |
| CVE-2026-24739 | MEDIUM | 6.3 | 2026-01-28 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process c… |
| CVE-2015-8935 | MEDIUM | 6.1 | 2016-08-07 | The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibi… |
| CVE-2023-46734 | MEDIUM | 6.1 | 2023-11-10 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31… |
| CVE-2015-8838 | MEDIUM | 5.9 | 2016-05-16 | ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle atta… |
| CVE-2012-1172 | MEDIUM | 5.8 | 2012-05-24 | The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remot… |
| CVE-2015-2783 | MEDIUM | 5.8 | 2015-06-09 | ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of … |
| CVE-2015-3412 | MEDIUM | 5.3 | 2016-05-16 | PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via cr… |
| CVE-2002-0483 | MEDIUM | 5.0 | 2002-08-12 | index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an … |
| CVE-2002-2032 | MEDIUM | 5.0 | 2002-12-31 | sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to debugging features, which allows remote attackers to gain SQL query information by setting the sql_debug para… |
| CVE-2012-2329 | MEDIUM | 5.0 | 2012-05-11 | Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) vi… |
| CVE-2012-2336 | MEDIUM | 5.0 | 2012-05-11 | sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign)… |
| CVE-2013-1643 | MEDIUM | 5.0 | 2013-03-06 | The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in … |
| CVE-2013-2110 | MEDIUM | 5.0 | 2013-06-21 | Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denia… |
| CVE-2013-4635 | MEDIUM | 5.0 | 2013-06-21 | Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denia… |
| CVE-2014-0237 | MEDIUM | 5.0 | 2014-06-01 | The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performa… |
| CVE-2014-0238 | MEDIUM | 5.0 | 2014-06-01 | The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite … |
| CVE-2014-3668 | MEDIUM | 5.0 | 2014-10-29 | Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x… |
| CVE-2014-3710 | MEDIUM | 5.0 | 2014-11-05 | The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remo… |
| CVE-2014-9652 | MEDIUM | 5.0 | 2015-03-30 | The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly ha… |
| CVE-2015-2348 | MEDIUM | 5.0 | 2015-03-30 | The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a … |
| CVE-2015-4021 | MEDIUM | 5.0 | 2015-06-09 | The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is diffe… |
| CVE-2015-4024 | MEDIUM | 5.0 | 2015-06-09 | Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote att… |
| CVE-2015-4148 | MEDIUM | 5.0 | 2015-06-09 | The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remo… |
| CVE-2011-1398 | MEDIUM | 4.3 | 2012-08-30 | The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote at… |
| CVE-2012-4388 | MEDIUM | 4.3 | 2012-09-07 | The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), wh… |
| CVE-2013-4636 | MEDIUM | 4.3 | 2013-06-21 | The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference an… |
| CVE-2013-4248 | MEDIUM | 4.3 | 2013-08-18 | The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Su… |
| CVE-2013-1824 | MEDIUM | 4.3 | 2013-09-16 | The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in … |
| CVE-2014-2497 | MEDIUM | 4.3 | 2014-03-21 | The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and applic… |
| CVE-2014-3479 | MEDIUM | 4.3 | 2014-07-09 | The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size … |
| CVE-2014-3487 | MEDIUM | 4.3 | 2014-07-09 | The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset… |
| CVE-2014-3587 | MEDIUM | 4.3 | 2014-08-23 | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remot… |
| CVE-2014-9767 | MEDIUM | 4.3 | 2016-05-22 | Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip… |
| CVE-2023-39343 | MEDIUM | 4.3 | 2023-08-04 | Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which on… |
| CVE-2024-50342 | LOW | 3.1 | 2024-11-06 | symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNe… |
| CVE-2024-50343 | LOW | 3.1 | 2024-11-06 | symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression us… |
| CVE-2024-50345 | LOW | 3.1 | 2024-11-06 | symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with … |
| CVE-2012-3450 | LOW | 2.6 | 2012-08-06 | pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, w… |
| CVE-2014-4721 | LOW | 2.6 | 2014-07-06 | The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_… |
| CVE-2024-51736 | NONE | 0.0 | 2024-11-06 | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current… |
| CVE-2014-125113 | N/A | — | 2025-08-05 | An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
The 129 vulnerabilities in PHP 5.4—particularly the 18 critical remote code execution flaws—represent an existential threat to your website's security. Attackers actively scan the internet for outdated PHP installations because they know these vulnerabilities will never be patched. Upgrading is not a luxury; it's a fundamental security requirement that protects your data, your users, and your business reputation.
Don't wait for a breach to force your hand. Use SiteRecipe.com's comprehensive security analysis tools to identify all outdated software on your website, create an upgrade roadmap, and track your progress toward a secure infrastructure. Our platform helps thousands of website owners eliminate security debt and sleep better at night knowing their sites are protected. Start your free security audit at SiteRecipe.com today and take control of your website's future.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.