CRITICAL🇵🇱 Wersja polska

CVE-2016-7398

CVSS 9.8v3.1pub. 2019-09-06upd. 2024-11-21

A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • PHP Ext Http

    APP
    Php
    2.6.03.1.0≤ 2.5.63.0.0 – 3.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam vendor

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2012-1823CRITICAL9.8⚠ KEVten sam vendor

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi)...

CVE-2026-6722CRITICAL9.5PL ✓ten sam vendor

Use-after-free w rozszerzeniu SOAP PHP umożliwiające RCE

CVE-2024-11235CRITICAL9.2PL ✓ten sam vendor

PHP use-after-free przez __set lub ??= z wyjątkami — RCE

CVE-2022-31631CRITICAL9.1PL ✓ten sam vendor

PHP PDO SQLite — błędne cytowanie ciągów prowadzące do SQL injection