In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NPHP
APPPhp8.0.0 – 8.0.27 (bez)8.1.0 – 8.1.15 (bez)8.2.0 – 8.2.2 (bez)Sqlite
APPSqlite≥ 3.39.2
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SQLi
CWE
Related vulnerabilities
CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
CVE-2012-1823CRITICAL9.8⚠ KEVten sam produkt
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi)...
CVE-2026-6722CRITICAL9.5PL ✓ten sam produkt
Use-after-free w rozszerzeniu SOAP PHP umożliwiające RCE
CVE-2024-11235CRITICAL9.2PL ✓ten sam produkt
PHP use-after-free przez __set lub ??= z wyjątkami — RCE
CVE-2024-11236CRITICAL9.8PL ✓ten sam produkt
PHP: integer overflow w ldap_escape() prowadzący do out-of-bounds write