pkg:Debian/php7.4

All known vulnerabilities

• CRITICAL9.8CVE-2026-7261SoapServer session-persisted object use-after-free via SOAP header fault
  from 0, < 7.4.33-1+deb11u11
• CRITICAL9.8CVE-2026-6722Use-After-Free in SOAP using Apache map
  from 0, < 7.4.33-1+deb11u11
• CRITICAL9.8Stream HTTP wrapper truncates redirect location to 1024 bytes
  from 0, < 7.4.33-1+deb11u8
• CRITICAL9.8Integer overflow in the firebird and dblib quoters causing OOB writes
  from 0, < 7.4.33-1+deb11u7
• CRITICAL9.8OOB access in ldap_escape
  from 0, < 7.4.33-1+deb11u7
• CRITICAL9.8Buffer overflow and overread in phar_dir_read()
  from 0, < 7.4.33-1+deb11u5
• CRITICAL9.8pypy3 - security update
  from 0, < 7.4.33-1+deb11u1
• CRITICAL9.8UAF due to php_filter_float() failing
  from 0, < 7.4.28-1+deb11u1
• CRITICAL9.1php7.4 - security update
  from 0, < 7.4.33-1+deb11u3
• CRITICAL9.1php7.4 - security update
  from 0, < 7.4.33-1+deb11u3
• CRITICAL9.1global buffer-overflow in mbfl_filt_conv_big5_wchar
  from 0, < 7.4.2-7
• CRITICAL9.1php5 - security update
  from 0, < 7.4.2-7
• HIGH8.8mysqlnd/pdo password buffer overflow
  from 0, < 7.4.30-1+deb11u1
• HIGH8.8mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full
  from 0, < 7.4.5-1
• HIGH8.2php7.4 - security update
  from 0, < 7.4.33-1+deb11u10
• HIGH8.2php7.4 - security update
  from 0, < 7.4.33-1+deb11u10
• HIGH8.2php8.2 - security update
  from 0, < 7.4.33-1+deb11u7
• HIGH8.2php8.2 - security update
  from 0, < 7.4.33-1+deb11u7
• HIGH8.1Array overrun in common path resolve code
  from 0, < 7.4.33-1+deb11u3
• HIGH8.1php7.4 - security update
  from 0, < 7.4.30-1+deb11u1
• HIGH8.1php7.4 - security update
  from 0, < 7.4.30-1+deb11u1
• HIGH7.5Signed integer overflow in metaphone()
  from 0, < 7.4.33-1+deb11u11
• HIGH7.5NULL pointer dereference in SOAP apache:Map decoder with missing <value>
  from 0, < 7.4.33-1+deb11u11
• HIGH7.5Out-of-bounds read in urldecode() on NetBSD
  from 0, < 7.4.33-1+deb11u11
• HIGH7.5pgsql extension does not check for errors during escaping
  from 0, < 7.4.33-1+deb11u9
• HIGH7.5cgi.force_redirect configuration is bypassable due to the environment variable collision
  from 0, < 7.4.33-1+deb11u6
• HIGH7.5php8.2 - security update
  from 0, < 7.4.33-1+deb11u5
• HIGH7.5php8.2 - security update
  from 0, < 7.4.33-1+deb11u5
• HIGH7.5DoS vulnerability when parsing multipart request body
  from 0, < 7.4.33-1+deb11u3
• HIGH7.5Null Dereference in SoapClient
  from 0, < 7.4.15-1
• HIGH7.5OOB Read in urldecode()
  from 0, < 7.4.5-1
• HIGH7.5php5 - security update
  from 0, < 7.4.3-1
• HIGH7.3Stream HTTP wrapper header check might omit basic auth header
  from 0, < 7.4.33-1+deb11u8
• HIGH7.2Configuring a proxy in a stream context might allow for CRLF injection in URIs
  from 0, < 7.4.33-1+deb11u7
• HIGH7.1OOB read due to insufficient input validation in imageloadfont()
  from 0, < 7.4.33-1+deb11u1
• HIGH7.0php7.3 - security update
  from 0, < 7.4.25-1+deb11u1
• HIGH7.0php7.3 - security update
  from 0, < 7.4.25-1+deb11u1
• MEDIUM6.5PHP function password_verify can erroneously return true when argument contains NUL
  from 0, < 7.4.33-1+deb11u5
• MEDIUM6.5php7.3 - security update
  from 0, < 7.4.33-1+deb11u5
• MEDIUM6.5$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities
  from 0, < 7.4.33-1+deb11u1
• MEDIUM6.5Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV
  from 0, < 7.4.11-1
• MEDIUM6.2password_verify() always returns true for some invalid hashes
  from 0, < 7.4.33-1+deb11u3
• MEDIUM6.1XSS within PHP-FPM status endpoint
  from 0, < 7.4.33-1+deb11u11
• MEDIUM5.9NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
  from 0, < 7.4.33-1+deb11u9
• MEDIUM5.9PHP is vulnerable to the Marvin Attack
  from 0
• MEDIUM5.9php7.3 - security update
  from 0, < 7.4.21-1+deb11u1
• MEDIUM5.8Leak partial content of the heap through heap buffer over-read in mysqlnd
  from 0, < 7.4.33-1+deb11u7
• MEDIUM5.5php7.4 - security update
  from 0, < 7.4.33-1+deb11u6
• MEDIUM5.5php7.4 - security update
  from 0, < 7.4.33-1+deb11u6
• MEDIUM5.5php7.4 - security update
  from 0, < 7.4.33-1+deb11u1
• MEDIUM5.5php7.4 - security update
  from 0, < 7.4.33-1+deb11u1
• MEDIUM5.4php5 - security update
  from 0, < 7.4.5-1
• MEDIUM5.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u9
• MEDIUM5.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u9
• MEDIUM5.3Streams HTTP wrapper does not fail for headers with invalid name and no colon
  from 0, < 7.4.33-1+deb11u8
• MEDIUM5.3libxml streams use wrong content-type header when requesting a redirected resource
  from 0, < 7.4.33-1+deb11u8
• MEDIUM5.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u6
• MEDIUM5.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u6
• MEDIUM5.3php7.4 - security update
  from 0, < 7.4.28-1+deb11u1
• MEDIUM5.3php7.4 - security update
  from 0, < 7.4.28-1+deb11u1
• MEDIUM5.3Incorrect URL validation in FILTER_VALIDATE_URL
  from 0, < 7.4.21-1+deb11u1
• MEDIUM5.3FILTER_VALIDATE_URL accepts URLs with invalid userinfo
  from 0, < 7.4.14-1
• MEDIUM5.3php7.0 - security update
  from 0, < 7.4.11-1
• MEDIUM5.3php7.3 - security update
  from 0, < 7.4.9-1
• MEDIUM5.3Files added to tar with Phar::buildFromIterator have all-access permissions
  from 0, < 7.4.3-1
• MEDIUM4.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u4
• MEDIUM4.3php8.2 - security update
  from 0, < 7.4.33-1+deb11u4
• MEDIUM4.3get_headers() silently truncates after a null byte
  from 0, < 7.4.5-1
• LOW3.6php7.3 - security update
  from 0, < 7.4.9-1
• LOW3.3PHP-FPM logs from children may be altered
  from 0, < 7.4.33-1+deb11u6
• LOW3.1php8.2 - security update
  from 0, < 7.4.33-1+deb11u8
• LOW3.1php8.2 - security update
  from 0, < 7.4.33-1+deb11u8