    Home /
    Blog /
    PHP 7.3.5
  

Security Advisory

PHP 7.3.5 Critical Vulnerability CVE-2019-11036: Security Guide

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 765 websites still running PHP 7.3.5 → View full list

Total

Critical

PHP 7.3.5 contains a critical security vulnerability (CVE-2019-11036) that could expose sensitive information or crash your website. This flaw affects the EXIF extension, a commonly used feature for processing image metadata. With over 765 websites still running this vulnerable version, understanding this risk is essential for protecting your site.

The vulnerability allows attackers to read beyond allocated memory buffers, potentially accessing confidential data or triggering server crashes. If your website processes images—whether through galleries, user uploads, or automated tools—you could be at risk. This guide explains the threat and provides actionable steps to secure your site immediately.

What is Php 7.3.5?

PHP 7.3.5 is a web server programming language released in 2019. It's the software that powers the backend of millions of websites, handling everything from processing forms to managing databases. Think of it as the engine that makes websites work behind the scenes. Most web hosting companies install PHP automatically, and many site owners never think about updating it.

The EXIF extension mentioned in this vulnerability is a PHP tool that reads image metadata—information embedded in photos like camera settings, dates, and location data. Websites use this feature to organize photos, create thumbnails, and verify image authenticity. When PHP processes images with the EXIF extension, it should read only the intended data, but this vulnerability allows it to read beyond safe boundaries.

Key Vulnerabilities in Php 7.3.5

1 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-11036 9.1/10 · CVSS v3.1 ⏱ Immediate

PHP Image File Processing Memory Leak

PHP 7.3.5 and earlier versions have a flaw in how they process certain image files, specifically when reading EXIF data (camera information embedded in photos). A hacker can exploit this by uploading a specially crafted image file to your website.

Impact: An attacker could steal sensitive information from your server's memory or cause your website to crash and become unavailable to visitors. This is particularly dangerous if your site accepts image uploads from users.

↗ View on NVD

Is your website running Php 7.3.5?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 765 affected sites

How to Check If Your Website Is Affected

1 Log into your web hosting control panel (cPanel, Plesk, or similar) and navigate to the PHP version settings
2 Check your current PHP version—if it shows 7.3.5 or an earlier 7.3.x version below 7.3.5, you're vulnerable
3 Create a test PHP file with <?php phpinfo(); ?> and upload it to verify the exact version your server is running

How to Fix These Vulnerabilities

1 Back up your entire website and database before making any changes—this protects against unexpected issues during updates
2 Contact your web host and request an upgrade to PHP 7.3.6 or higher, or preferably to PHP 8.0+ for better security and performance
3 If you manage your own server, use your package manager (apt, yum) to update PHP: sudo apt update && sudo apt upgrade php7.3
4 After upgrading, test your website thoroughly—check image uploads, galleries, and any EXIF-dependent features to ensure everything works correctly

Conclusion

CVE-2019-11036 is a serious threat that demands immediate attention. With 765 websites still vulnerable, cybercriminals are actively scanning for outdated PHP installations. Upgrading to a patched version takes just minutes and dramatically improves your security posture. Don't wait until your site is compromised—take action today.

Using SiteRecipe.com's vulnerability scanner, you can continuously monitor your website for security weaknesses like this one. Our platform automatically alerts you to critical updates and provides step-by-step remediation guidance. Protect your website, your customers' data, and your reputation by staying ahead of threats. Start your free security audit with SiteRecipe.com now.

Frequently Asked Questions

Can this vulnerability be exploited without direct server access?

Yes. Attackers can exploit this vulnerability by uploading specially crafted image files to your website. If your site accepts image uploads from users or processes images, you're at risk of information disclosure or denial-of-service attacks.

Will upgrading PHP break my website?

Most upgrades are seamless, especially from 7.3.5 to 7.3.6+. However, older custom code or plugins might have compatibility issues. Always back up your site first and test on a staging environment. Your hosting provider can usually handle this safely.

What if I'm running PHP 8.0 or newer—am I safe?

Yes, PHP 8.0 and later versions are not affected by CVE-2019-11036. However, you should still maintain regular updates to protect against other newly discovered vulnerabilities in the EXIF extension and elsewhere.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 765 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com