PHP 5.6 is an outdated version that poses serious security risks to your website. With 198 documented CVEs—including 66 critical vulnerabilities—running this version exposes your site to remote code execution, data breaches, and denial-of-service attacks. Major vulnerabilities in WDDX, SOAP, and SPL extensions can be exploited by attackers to compromise your entire application.
Unfortunately, 714 websites are still using PHP 5.6, many without realizing the danger. These websites are prime targets for cybercriminals who actively exploit known vulnerabilities. If your site is among them, immediate action is required to protect your data, users, and business reputation.
This comprehensive guide explains what PHP 5.6's vulnerabilities mean, how to check if you're affected, and the exact steps to upgrade to a secure version.
PHP 5.6 is an older server-side programming language version that powers the backend of millions of websites. Released in 2014, it was designed to process code on your web server and generate the pages visitors see in their browsers. Think of it as the engine that makes your website function—handling databases, user logins, form submissions, and content delivery.
However, PHP 5.6 reached end-of-life in January 2019, meaning it no longer receives security updates from developers. This is critical because cybersecurity is an ongoing process. As new threats emerge, software developers release patches to fix vulnerabilities. When a version stops receiving updates, every newly discovered weakness becomes a permanent liability for websites still using it.
198 CVEs found. The most critical are explained below.
PHP's WDDX extension (used to process certain data formats) has a flaw where it doesn't properly clean up memory after use. When someone sends specially crafted XML data to your website, it can cause the application to crash or behave unpredictably.
Impact: Your website could crash or stop responding to visitors. In worst cases, attackers might be able to take control of your server or access sensitive data.
↗ View on NVDPHP's SplMinHeap function (used for organizing data) has a memory management bug. An attacker can exploit this flaw by sending requests that trigger this specific function, potentially taking over your server.
Impact: Attackers could execute malicious code on your server, leading to complete compromise of your website and data theft.
↗ View on NVDPHP's SOAP functionality (used for web services) improperly handles error messages. When given unexpected data, it can expose sensitive internal information about your system, crash your application, or allow code execution.
Impact: Attackers could learn details about your server setup, crash your application, or potentially gain control of your server.
↗ View on NVDPHP's SOAP client (used to communicate with external web services) doesn't properly validate data types. Attackers can send malformed data that causes your application to crash or execute malicious code.
Impact: Your website could crash, or attackers could execute arbitrary code and take control of your server.
↗ View on NVDMultiple parts of PHP's SOAP processing have flaws where they mishandle unexpected data types. This can lead to application crashes or code execution when attackers send specially crafted requests.
Impact: Your application could crash repeatedly, or attackers could execute code on your server.
↗ View on NVDPHP's object handling has a flaw where it doesn't properly validate data types when processing incomplete class objects. Attackers can exploit this to crash your application or execute code.
Impact: Your website could become unstable or attackers could gain unauthorized access to your server.
↗ View on NVDShowing first 10 of 192. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2015-4603 | CRITICAL | 9.8 | 2016-05-16 | The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary c… |
| CVE-2015-4642 | CRITICAL | 9.8 | 2016-05-16 | The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 on Windows allows remote attackers to execute arbitrary OS co… |
| CVE-2015-4643 | CRITICAL | 9.8 | 2016-05-16 | Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary cod… |
| CVE-2015-5589 | CRITICAL | 9.8 | 2016-05-16 | The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close ope… |
| CVE-2015-6834 | CRITICAL | 9.8 | 2016-05-16 | Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to … |
| CVE-2015-6835 | CRITICAL | 9.8 | 2016-05-16 | The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute … |
| CVE-2015-8835 | CRITICAL | 9.8 | 2016-05-16 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote … |
| CVE-2016-2554 | CRITICAL | 9.8 | 2016-05-16 | Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application cra… |
| CVE-2016-4071 | CRITICAL | 9.8 | 2016-05-20 | Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute ar… |
| CVE-2016-4072 | CRITICAL | 9.8 | 2016-05-20 | The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mis… |
| CVE-2016-4073 | CRITICAL | 9.8 | 2016-05-20 | Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attacke… |
| CVE-2015-8876 | CRITICAL | 9.8 | 2016-05-22 | Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a den… |
| CVE-2016-4537 | CRITICAL | 9.8 | 2016-05-22 | The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote… |
| CVE-2016-4538 | CRITICAL | 9.8 | 2016-05-22 | The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are … |
| CVE-2016-4539 | CRITICAL | 9.8 | 2016-05-22 | The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer un… |
| CVE-2016-4540 | CRITICAL | 9.8 | 2016-05-22 | The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of s… |
| CVE-2016-4541 | CRITICAL | 9.8 | 2016-05-22 | The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of se… |
| CVE-2016-4542 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows r… |
| CVE-2016-4543 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers… |
| CVE-2016-4544 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote at… |
| CVE-2016-6290 | CRITICAL | 9.8 | 2016-07-25 | ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to ca… |
| CVE-2016-6291 | CRITICAL | 9.8 | 2016-07-25 | The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service … |
| CVE-2016-6294 | CRITICAL | 9.8 | 2016-07-25 | The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the IC… |
| CVE-2016-6295 | CRITICAL | 9.8 | 2016-07-25 | ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remot… |
| CVE-2016-6296 | CRITICAL | 9.8 | 2016-07-25 | Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9,… |
| CVE-2016-5768 | CRITICAL | 9.8 | 2016-08-07 | Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.… |
| CVE-2016-5769 | CRITICAL | 9.8 | 2016-08-07 | Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service … |
| CVE-2016-5770 | CRITICAL | 9.8 | 2016-08-07 | Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denia… |
| CVE-2016-5771 | CRITICAL | 9.8 | 2016-08-07 | spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote … |
| CVE-2016-5772 | CRITICAL | 9.8 | 2016-08-07 | Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attac… |
| CVE-2016-5773 | CRITICAL | 9.8 | 2016-08-07 | php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, whi… |
| CVE-2016-7124 | CRITICAL | 9.8 | 2016-09-12 | ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possib… |
| CVE-2016-7126 | CRITICAL | 9.8 | 2016-09-12 | The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to ca… |
| CVE-2016-7127 | CRITICAL | 9.8 | 2016-09-12 | The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial o… |
| CVE-2016-7129 | CRITICAL | 9.8 | 2016-09-12 | The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possi… |
| CVE-2016-7411 | CRITICAL | 9.8 | 2016-09-17 | ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or… |
| CVE-2016-7413 | CRITICAL | 9.8 | 2016-09-17 | Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service … |
| CVE-2016-7414 | CRITICAL | 9.8 | 2016-09-17 | The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attacke… |
| CVE-2016-7417 | CRITICAL | 9.8 | 2016-09-17 | ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attacker… |
| CVE-2016-8670 | CRITICAL | 9.8 | 2017-01-04 | Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allo… |
| CVE-2016-9137 | CRITICAL | 9.8 | 2017-01-04 | Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service… |
| CVE-2016-9138 | CRITICAL | 9.8 | 2017-01-04 | PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have … |
| CVE-2016-9935 | CRITICAL | 9.8 | 2017-01-04 | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memor… |
| CVE-2016-10160 | CRITICAL | 9.8 | 2017-01-24 | Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory c… |
| CVE-2016-4473 | CRITICAL | 9.8 | 2017-06-08 | /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. |
| CVE-2017-9841 | CRITICAL | 9.8 | 2017-06-27 | Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring,… |
| CVE-2017-12933 | CRITICAL | 9.8 | 2017-08-18 | The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserial… |
| CVE-2017-12868 | CRITICAL | 9.8 | 2017-09-01 | The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attac… |
| CVE-2018-7584 | CRITICAL | 9.8 | 2018-03-01 | In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_strea… |
| CVE-2019-9020 | CRITICAL | 9.8 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid … |
| CVE-2019-9021 | CRITICAL | 9.8 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR e… |
| CVE-2019-9023 | CRITICAL | 9.8 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbst… |
| CVE-2018-18757 | CRITICAL | 9.8 | 2019-06-19 | Open Faculty Evaluation System 5.6 for PHP 5.6 allows submit_feedback.php SQL Injection, a different vulnerability than CVE-2018-18758. |
| CVE-2014-3622 | CRITICAL | 9.8 | 2020-02-19 | Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveragi… |
| CVE-2025-0364 | CRITICAL | 9.8 | 2025-02-04 | BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker c… |
| CVE-2026-34084 | CRITICAL | 9.8 | 2026-05-05 | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 t… |
| CVE-2015-8866 | CRITICAL | 9.6 | 2016-05-22 | ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, whi… |
| CVE-2016-1903 | CRITICAL | 9.1 | 2016-01-19 | The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensiti… |
| CVE-2016-5114 | CRITICAL | 9.1 | 2016-08-07 | sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain s… |
| CVE-2017-11147 | CRITICAL | 9.1 | 2017-07-10 | In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially discl… |
| CVE-2016-4342 | HIGH | 8.8 | 2016-05-22 | ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of… |
| CVE-2016-4343 | HIGH | 8.8 | 2016-05-22 | The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause… |
| CVE-2016-6297 | HIGH | 8.8 | 2016-07-25 | Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a d… |
| CVE-2016-5766 | HIGH | 8.8 | 2016-08-07 | Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7… |
| CVE-2016-5767 | HIGH | 8.8 | 2016-08-07 | Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library (aka libgd) before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7… |
| CVE-2017-17727 | HIGH | 8.8 | 2017-12-18 | DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. |
| CVE-2018-10549 | HIGH | 8.8 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for cra… |
| CVE-2019-6977 | HIGH | 8.8 | 2019-01-27 | gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7… |
| CVE-2019-12799 | HIGH | 8.8 | 2019-06-13 | In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deseria… |
| CVE-2021-43430 | HIGH | 8.8 | 2022-04-07 | An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files. |
| CVE-2016-5093 | HIGH | 8.6 | 2016-08-07 | The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' char… |
| CVE-2016-5094 | HIGH | 8.6 | 2016-08-07 | Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or poss… |
| CVE-2016-5095 | HIGH | 8.6 | 2016-08-07 | Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of servi… |
| CVE-2016-5096 | HIGH | 8.6 | 2016-08-07 | Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have un… |
| CVE-2016-3142 | HIGH | 8.2 | 2016-03-31 | The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process me… |
| CVE-2016-3171 | HIGH | 8.1 | 2016-04-12 | Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related t… |
| CVE-2016-7412 | HIGH | 8.1 | 2016-09-17 | ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cau… |
| CVE-2018-15133 | HIGH | 8.1 | 2018-08-09 | In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. T… |
| CVE-2016-6289 | HIGH | 7.8 | 2016-07-25 | Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a deni… |
| CVE-2016-5399 | HIGH | 7.8 | 2017-04-21 | The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or … |
| CVE-2017-11628 | HIGH | 7.8 | 2017-07-25 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of s… |
| CVE-2013-7456 | HIGH | 7.6 | 2016-08-07 | gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.1.1, as used in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7, allows remote attackers to cause a… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2003-1435 | HIGH | 7.5 | 2003-12-31 | SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. |
| CVE-2014-3669 | HIGH | 7.5 | 2014-10-29 | Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to caus… |
| CVE-2014-8142 | HIGH | 7.5 | 2014-12-20 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remot… |
| CVE-2014-9425 | HIGH | 7.5 | 2014-12-31 | Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers … |
| CVE-2014-9427 | HIGH | 7.5 | 2015-01-03 | sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider th… |
| CVE-2015-0231 | HIGH | 7.5 | 2015-01-27 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remot… |
| CVE-2014-9653 | HIGH | 7.5 | 2015-03-30 | readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes re… |
| CVE-2014-9705 | HIGH | 7.5 | 2015-03-30 | Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote att… |
| CVE-2015-0273 | HIGH | 7.5 | 2015-03-30 | Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code v… |
| CVE-2015-1351 | HIGH | 7.5 | 2015-03-30 | Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of … |
| CVE-2015-2301 | HIGH | 7.5 | 2015-03-30 | Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service … |
| CVE-2015-2331 | HIGH | 7.5 | 2015-03-30 | Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x befo… |
| CVE-2015-2787 | HIGH | 7.5 | 2015-03-30 | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remot… |
| CVE-2015-3307 | HIGH | 7.5 | 2015-06-09 | The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap me… |
| CVE-2015-3329 | HIGH | 7.5 | 2015-06-09 | Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to… |
| CVE-2015-4022 | HIGH | 7.5 | 2015-06-09 | Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code… |
| CVE-2015-4025 | HIGH | 7.5 | 2015-06-09 | PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypa… |
| CVE-2015-4026 | HIGH | 7.5 | 2015-06-09 | The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote a… |
| CVE-2015-4147 | HIGH | 7.5 | 2015-06-09 | The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows… |
| CVE-2015-6833 | HIGH | 7.5 | 2016-01-19 | Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via … |
| CVE-2014-0236 | HIGH | 7.5 | 2016-05-16 | file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via … |
| CVE-2015-4604 | HIGH | 7.5 | 2016-05-16 | The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a cer… |
| CVE-2015-4605 | HIGH | 7.5 | 2016-05-16 | The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a ce… |
| CVE-2015-4644 | HIGH | 7.5 | 2016-05-16 | The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extr… |
| CVE-2015-6837 | HIGH | 7.5 | 2016-05-16 | The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consid… |
| CVE-2015-6838 | HIGH | 7.5 | 2016-05-16 | The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consid… |
| CVE-2015-8873 | HIGH | 7.5 | 2016-05-16 | Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (… |
| CVE-2015-8874 | HIGH | 7.5 | 2016-05-16 | Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. |
| CVE-2016-4070 | HIGH | 7.5 | 2016-05-20 | Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial… |
| CVE-2015-8867 | HIGH | 7.5 | 2016-05-22 | The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseu… |
| CVE-2015-8877 | HIGH | 7.5 | 2016-05-22 | The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free appro… |
| CVE-2015-8879 | HIGH | 7.5 | 2016-05-22 | The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of serv… |
| CVE-2016-7125 | HIGH | 7.5 | 2016-09-12 | ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbi… |
| CVE-2016-7130 | HIGH | 7.5 | 2016-09-12 | The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and … |
| CVE-2016-7131 | HIGH | 7.5 | 2016-09-12 | ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have u… |
| CVE-2016-7132 | HIGH | 7.5 | 2016-09-12 | ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have u… |
| CVE-2016-7416 | HIGH | 7.5 | 2016-09-17 | ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, whic… |
| CVE-2016-7418 | HIGH | 7.5 | 2016-09-17 | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and o… |
| CVE-2016-9933 | HIGH | 7.5 | 2017-01-04 | Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13… |
| CVE-2016-9934 | HIGH | 7.5 | 2017-01-04 | ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPac… |
| CVE-2016-7478 | HIGH | 7.5 | 2017-01-11 | Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception objec… |
| CVE-2016-10158 | HIGH | 7.5 | 2017-01-24 | The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (app… |
| CVE-2016-10159 | HIGH | 7.5 | 2017-01-24 | Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory c… |
| CVE-2016-10161 | HIGH | 7.5 | 2017-01-24 | The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of servi… |
| CVE-2015-8994 | HIGH | 7.5 | 2017-03-02 | An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issu… |
| CVE-2016-10397 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as de… |
| CVE-2017-11142 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related … |
| CVE-2017-11143 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpre… |
| CVE-2017-11144 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could… |
| CVE-2017-11145 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date stri… |
| CVE-2017-16642 | HIGH | 7.5 | 2017-11-07 | In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used b… |
| CVE-2016-10712 | HIGH | 7.5 | 2018-02-09 | In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during fi… |
| CVE-2018-10546 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stre… |
| CVE-2018-10548 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of ser… |
| CVE-2018-14883 | HIGH | 7.5 | 2018-08-03 | An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_… |
| CVE-2018-15132 | HIGH | 7.5 | 2018-08-07 | An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn… |
| CVE-2018-20783 | HIGH | 7.5 | 2019-02-21 | In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unal… |
| CVE-2019-9024 | HIGH | 7.5 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to rea… |
| CVE-2014-9426 | HIGH | 7.3 | 2014-12-31 | The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which a… |
| CVE-2015-5590 | HIGH | 7.3 | 2016-01-19 | Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to caus… |
| CVE-2015-6831 | HIGH | 7.3 | 2016-01-19 | Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors invo… |
| CVE-2015-6832 | HIGH | 7.3 | 2016-01-19 | Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attacker… |
| CVE-2015-6836 | HIGH | 7.3 | 2016-01-19 | The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers … |
| CVE-2015-8865 | HIGH | 7.3 | 2016-05-20 | The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuat… |
| CVE-2021-39503 | HIGH | 7.2 | 2021-09-07 | PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/… |
| CVE-2026-6227 | HIGH | 7.2 | 2026-04-14 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, … |
| CVE-2016-3185 | HIGH | 7.1 | 2016-05-16 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain s… |
| CVE-2014-3670 | MEDIUM | 6.8 | 2014-10-29 | The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, w… |
| CVE-2015-0232 | MEDIUM | 6.8 | 2015-01-27 | The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a… |
| CVE-2015-3330 | MEDIUM | 6.8 | 2015-06-09 | The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows… |
| CVE-2015-7803 | MEDIUM | 6.8 | 2015-12-11 | The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and… |
| CVE-2015-7804 | MEDIUM | 6.8 | 2015-12-11 | Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitiali… |
| CVE-2025-65960 | MEDIUM | 6.6 | 2025-11-25 | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can… |
| CVE-2003-1340 | MEDIUM | 6.5 | 2003-12-31 | Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 and 6.5 allow remote authenticated users to execute arbitrary SQL commands via (1) a uid (user) cookie to mo… |
| CVE-2015-3411 | MEDIUM | 6.5 | 2016-05-16 | PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary … |
| CVE-2015-4598 | MEDIUM | 6.5 | 2016-05-16 | PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary… |
| CVE-2016-6292 | MEDIUM | 6.5 | 2016-07-25 | The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NUL… |
| CVE-2017-7890 | MEDIUM | 6.5 | 2017-08-02 | The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap … |
| CVE-2020-19964 | MEDIUM | 6.5 | 2021-10-14 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. |
| CVE-2008-3659 | MEDIUM | 6.4 | 2008-08-15 | Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly ex… |
| CVE-2015-8935 | MEDIUM | 6.1 | 2016-08-07 | The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibi… |
| CVE-2018-5712 | MEDIUM | 6.1 | 2018-01-16 | An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a … |
| CVE-2018-10547 | MEDIUM | 6.1 | 2018-04-29 | An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 an… |
| CVE-2018-17082 | MEDIUM | 6.1 | 2018-09-16 | The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, be… |
| CVE-2019-16703 | MEDIUM | 6.1 | 2019-09-23 | admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. |
| CVE-2015-8838 | MEDIUM | 5.9 | 2016-05-16 | ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle atta… |
| CVE-2015-8878 | MEDIUM | 5.9 | 2016-05-22 | main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race conditi… |
| CVE-2015-2783 | MEDIUM | 5.8 | 2015-06-09 | ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of … |
| CVE-2018-5711 | MEDIUM | 5.5 | 2018-01-16 | gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error… |
| CVE-2018-14851 | MEDIUM | 5.5 | 2018-08-02 | exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial o… |
| CVE-2026-35453 | MEDIUM | 5.4 | 2026-05-05 | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 t… |
| CVE-2015-3412 | MEDIUM | 5.3 | 2016-05-16 | PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via cr… |
| CVE-2016-7128 | MEDIUM | 5.3 | 2016-09-12 | The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which all… |
| CVE-2014-4049 | MEDIUM | 5.1 | 2014-06-18 | Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly … |
| CVE-2014-3668 | MEDIUM | 5.0 | 2014-10-29 | Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x… |
| CVE-2014-9652 | MEDIUM | 5.0 | 2015-03-30 | The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly ha… |
| CVE-2014-9709 | MEDIUM | 5.0 | 2015-03-30 | The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer ove… |
| CVE-2015-1352 | MEDIUM | 5.0 | 2015-03-30 | The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attack… |
| CVE-2015-2348 | MEDIUM | 5.0 | 2015-03-30 | The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a … |
| CVE-2015-4021 | MEDIUM | 5.0 | 2015-06-09 | The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is diffe… |
| CVE-2015-4024 | MEDIUM | 5.0 | 2015-06-09 | Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote att… |
| CVE-2015-4148 | MEDIUM | 5.0 | 2015-06-09 | The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remo… |
| CVE-2019-16704 | MEDIUM | 4.8 | 2019-09-23 | admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. |
| CVE-2021-41731 | MEDIUM | 4.8 | 2022-09-16 | Cross Site Scripting (XSS vulnerability exists in )Sourcecodester News247 News Magazine (CMS) PHP 5.6 or higher and MySQL 5.7 or higher via the blog category name field |
| CVE-2018-10545 | MEDIUM | 4.7 | 2018-04-29 | An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access control… |
| CVE-2013-6501 | MEDIUM | 4.6 | 2015-03-30 | The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local us… |
| CVE-2014-9767 | MEDIUM | 4.3 | 2016-05-22 | Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip… |
| CVE-2006-0818 | MEDIUM | 4.0 | 2006-07-21 | Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows re… |
| CVE-2014-5459 | LOW | 3.6 | 2014-09-27 | The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file i… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
PHP 5.6 is no longer safe for production websites. The 198 documented CVEs—particularly the 66 critical vulnerabilities in WDDX, SOAP, and SPL extensions—create an unacceptable security risk. Attackers actively exploit these known weaknesses to steal data, inject malware, and take control of websites. If you're still running PHP 5.6, upgrading isn't optional; it's essential for protecting your business and users.
Don't wait for a breach to force your hand. SiteRecipe.com helps you identify outdated technologies on your website and provides step-by-step guidance to upgrade safely. Our security analysis tool scans for 198+ PHP 5.6 vulnerabilities and gives you a clear roadmap to modern, secure versions. Visit SiteRecipe.com today to run a free security assessment and take the first step toward protecting your website.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.