    Home /
    Blog /
    PHP 7.1.27
  

Security Advisory

PHP 7.1.27 Security Update: 6 Critical CVEs Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 686 websites still running PHP 7.1.27 → View full list

Total

Critical

High

PHP 7.1.27 contains critical security vulnerabilities that put your website at serious risk. With 1 critical and 5 high-severity CVEs discovered in this version, hackers could potentially exploit your site through EXIF processing, buffer overflows, and file permission issues. This guide will help you understand these threats and take immediate action to protect your web applications.

If your website is still running PHP 7.1.27, you're among 686 sites currently using this outdated version. The vulnerabilities range from uninitialized memory reads to buffer overflow attacks that could compromise your entire system. Don't wait—this article will walk you through identifying and fixing these critical security gaps.

What is Php 7.1.27?

PHP 7.1.27 is an older release of PHP, the programming language that powers millions of websites worldwide. Released in 2019, it was designed to help websites run faster and handle more complex tasks. However, like all software, security vulnerabilities were discovered after its release that needed immediate patching.

Think of PHP as the engine of your website. Just like a car engine needs regular maintenance and updates to run safely, PHP needs security patches to protect against hackers. PHP 7.1.27 is now several versions behind the current releases, meaning it's missing years of security improvements and bug fixes that protect modern websites from cyber threats.

Key Vulnerabilities in Php 7.1.27

6 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-9641 9.8/10 · CVSS v3.1 ⏱ Immediate

Photo metadata reading flaw

PHP has a problem when reading photo metadata (EXIF data). When your website processes images, it may read incorrect or uninitialized information from the photo file, which could cause unexpected behavior or crashes.

Impact: An attacker could upload a specially crafted image that crashes your website or potentially allows them to access sensitive information.

↗ View on NVD

HIGH CVE-2019-9675 8.1/10 · CVSS v3.0 ⏱ Immediate

Archive file overflow vulnerability

PHP's archive handling code has a memory overflow issue when processing certain file paths in compressed files (like ZIP or TAR archives). A malicious archive with an extremely long filename could overflow the system's memory buffers.

Impact: An attacker could upload a malicious archive file that crashes your website or potentially executes malicious code on your server.

↗ View on NVD

HIGH CVE-2019-9637 7.5/10 · CVSS v3.0 ⏱ Within 7 days

File permission vulnerability during renaming

When PHP renames files across different storage drives, there's a brief moment where the file has incorrect permissions. During this window, unauthorized users might access files they shouldn't.

Impact: An attacker on your server could potentially read or access sensitive files during the brief window when permissions are incorrect.

↗ View on NVD

HIGH CVE-2019-9638 7.5/10 · CVSS v3.1 ⏱ Immediate

Photo metadata reading error in maker notes

PHP incorrectly reads manufacturer-specific metadata (maker notes) embedded in photos. This miscalculation could cause it to read wrong data from the file.

Impact: Uploading certain photos could crash your website or leak sensitive information from server memory.

↗ View on NVD

HIGH CVE-2019-9639 7.5/10 · CVSS v3.1 ⏱ Immediate

Photo metadata size calculation error

PHP miscalculates the size of manufacturer-specific photo metadata, leading to reading incorrect portions of files. This could cause system instability or data leaks.

Impact: Specially crafted photos could crash your website or expose sensitive data stored in server memory.

↗ View on NVD

HIGH CVE-2019-9640 7.5/10 · CVSS v3.1 ⏱ Immediate

Photo image structure reading error

PHP has a flaw when reading image structure data from photos. It may attempt to read data from invalid memory locations, causing crashes or unpredictable behavior.

Impact: An attacker could upload a malicious photo that crashes your website or potentially accesses sensitive server information.

↗ View on NVD

Is your website running Php 7.1.27?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 686 affected sites

How to Check If Your Website Is Affected

1 Log into your web hosting control panel (cPanel, Plesk, or similar) and navigate to the PHP version settings
2 Look for the version number displayed—it will show something like 'PHP 7.1.27' if you're running this vulnerable version
3 Alternatively, create a small PHP file with <?php phpinfo(); ?> and upload it to your server to see the exact version number
4 Use SiteRecipe.com's free vulnerability scanner to automatically detect if your site is affected by any of these 6 CVEs

How to Fix These Vulnerabilities

1 Back up your entire website and database immediately using your hosting control panel or backup software—this protects you if anything goes wrong during the update
2 Log into your hosting control panel and navigate to the PHP version selector or PHP settings area
3 Select a newer, supported PHP version (PHP 7.4 or higher is recommended for security and performance)
4 Click 'Update' or 'Apply' and allow 5-10 minutes for the changes to take effect across your website
5 Test your website thoroughly by visiting key pages and checking that all features work correctly after the update
6 Use SiteRecipe.com's vulnerability scanner again to confirm all CVEs have been resolved

Conclusion

The 6 vulnerabilities in PHP 7.1.27—especially the critical EXIF processing flaw and buffer overflow issues—represent serious security risks that hackers actively exploit. Updating to a newer PHP version is one of the most important steps you can take to protect your website, your visitors' data, and your business reputation. The good news is that upgrading typically takes just minutes and most modern websites run perfectly on current PHP versions.

Don't leave your website vulnerable. Use SiteRecipe.com's comprehensive security scanner to identify all CVEs affecting your site, get personalized fix recommendations, and monitor your website's security continuously. Our platform makes it easy to understand technical threats and take action—because protecting your website shouldn't require a computer science degree. Start your free scan today at SiteRecipe.com.

Frequently Asked Questions

How serious is the CVE-2019-9641 critical vulnerability?

CVE-2019-9641 is a critical uninitialized memory read in PHP's EXIF processing that could allow attackers to execute code or crash your website by uploading a specially crafted image file. This is the most dangerous vulnerability in PHP 7.1.27 and should be patched immediately. An attacker doesn't even need special access—they could exploit this through a standard image upload feature.

Will updating PHP break my website?

Most websites transition smoothly from PHP 7.1.27 to newer versions, though older plugins or custom code might need updates. This is why backing up first is crucial. Modern PHP versions are actually more stable and faster than 7.1.27, so most sites see improvements. Always test on a staging environment before updating your live site.

What's the difference between critical and high severity CVEs?

Critical CVEs (like CVE-2019-9641) can be exploited without special permissions and have severe consequences like system compromise. High severity CVEs are also dangerous but may require specific conditions or user interaction to exploit. Either way, both require immediate patching—don't assume high severity vulnerabilities are safe to ignore.

How can SiteRecipe.com help protect my website?

SiteRecipe.com automatically scans your website for known CVEs, outdated software versions, and security misconfigurations. We provide clear, non-technical reports explaining what's wrong and exactly how to fix it. Our continuous monitoring alerts you to new vulnerabilities before hackers can exploit them.

Are there other vulnerabilities besides these 6 CVEs in PHP 7.1.27?

Yes, PHP 7.1.27 likely has additional vulnerabilities that haven't been publicly disclosed or are still being discovered. Using outdated software means you're missing all the security patches from subsequent releases. Upgrading to a current PHP version ensures you get all available security fixes and maintenance updates.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 686 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com