pkg:Debian/php7.4

72 total CVEsCRITICAL12HIGH25MEDIUM31LOW4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2026-7261SoapServer session-persisted object use-after-free via SOAP header fault
    from 0, < 7.4.33-1+deb11u11
  • CRITICAL9.8CVE-2026-6722Use-After-Free in SOAP using Apache map
    from 0, < 7.4.33-1+deb11u11
  • CRITICAL9.8CVE-2025-1861Stream HTTP wrapper truncates redirect location to 1024 bytes
    from 0, < 7.4.33-1+deb11u8
  • CRITICAL9.8CVE-2024-11236Integer overflow in the firebird and dblib quoters causing OOB writes
    from 0, < 7.4.33-1+deb11u7
  • CRITICAL9.8CVE-2024-8932OOB access in ldap_escape
    from 0, < 7.4.33-1+deb11u7
  • CRITICAL9.8CVE-2023-3824Buffer overflow and overread in phar_dir_read()
    from 0, < 7.4.33-1+deb11u5
  • CRITICAL9.8CVE-2022-37454Buffer overflow in sponge queue functions
    from 0, < 7.4.33-1+deb11u1
  • CRITICAL9.8CVE-2021-21708UAF due to php_filter_float() failing
    from 0, < 7.4.28-1+deb11u1
  • CRITICAL9.1CVE-2022-31631PDO::quote() may return unquoted string
    from 0, < 7.4.33-1+deb11u3
  • CRITICAL9.1CVE-2022-31631PDO::quote() may return unquoted string
    from 0, < 7.4.33-1+deb11u3
  • CRITICAL9.1CVE-2020-7060global buffer-overflow in mbfl_filt_conv_big5_wchar
    from 0, < 7.4.2-7
  • CRITICAL9.1CVE-2020-7059OOB read in php_strip_tags_ex
    from 0, < 7.4.2-7
  • HIGH8.8CVE-2022-31626mysqlnd/pdo password buffer overflow
    from 0, < 7.4.30-1+deb11u1
  • HIGH8.8CVE-2020-7065mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full
    from 0, < 7.4.5-1
  • HIGH8.2CVE-2025-14178Heap buffer overflow in array_merge()
    from 0, < 7.4.33-1+deb11u10
  • HIGH8.2CVE-2025-14178Heap buffer overflow in array_merge()
    from 0, < 7.4.33-1+deb11u10
  • HIGH8.2CVE-2024-11233Single byte overread with convert.quoted-printable-decode filter
    from 0, < 7.4.33-1+deb11u7
  • HIGH8.2CVE-2024-11233Single byte overread with convert.quoted-printable-decode filter
    from 0, < 7.4.33-1+deb11u7
  • HIGH8.1CVE-2023-0568Array overrun in common path resolve code
    from 0, < 7.4.33-1+deb11u3
  • HIGH8.1CVE-2022-31625Freeing unallocated memory in php_pgsql_free_params()
    from 0, < 7.4.30-1+deb11u1
  • HIGH8.1CVE-2022-31625Freeing unallocated memory in php_pgsql_free_params()
    from 0, < 7.4.30-1+deb11u1
  • HIGH7.5CVE-2026-7568Signed integer overflow in metaphone()
    from 0, < 7.4.33-1+deb11u11
  • HIGH7.5CVE-2026-7262NULL pointer dereference in SOAP apache:Map decoder with missing <value>
    from 0, < 7.4.33-1+deb11u11
  • HIGH7.5CVE-2026-7258Out-of-bounds read in urldecode() on NetBSD
    from 0, < 7.4.33-1+deb11u11
  • HIGH7.5CVE-2025-1735pgsql extension does not check for errors during escaping
    from 0, < 7.4.33-1+deb11u9
  • HIGH7.5CVE-2024-8927cgi.force_redirect configuration is bypassable due to the environment variable collision
    from 0, < 7.4.33-1+deb11u6
  • HIGH7.5CVE-2023-3823Security issue with external entity loading in XML without enabling it
    from 0, < 7.4.33-1+deb11u5
  • HIGH7.5CVE-2023-3823Security issue with external entity loading in XML without enabling it
    from 0, < 7.4.33-1+deb11u5
  • HIGH7.5CVE-2023-0662DoS vulnerability when parsing multipart request body
    from 0, < 7.4.33-1+deb11u3
  • HIGH7.5CVE-2021-21702Null Dereference in SoapClient
    from 0, < 7.4.15-1
  • HIGH7.5CVE-2020-7067OOB Read in urldecode()
    from 0, < 7.4.5-1
  • HIGH7.5CVE-2020-7062Null Pointer Dereference in PHP Session Upload Progress
    from 0, < 7.4.3-1
  • HIGH7.3CVE-2025-1736Stream HTTP wrapper header check might omit basic auth header
    from 0, < 7.4.33-1+deb11u8
  • HIGH7.2CVE-2024-11234Configuring a proxy in a stream context might allow for CRLF injection in URIs
    from 0, < 7.4.33-1+deb11u7
  • HIGH7.1CVE-2022-31630OOB read due to insufficient input validation in imageloadfont()
    from 0, < 7.4.33-1+deb11u1
  • HIGH7.0CVE-2021-21703PHP-FPM memory access in root process leading to privilege escalation
    from 0, < 7.4.25-1+deb11u1
  • HIGH7.0CVE-2021-21703PHP-FPM memory access in root process leading to privilege escalation
    from 0, < 7.4.25-1+deb11u1
  • MEDIUM6.5CVE-2024-3096PHP function password_verify can erroneously return true when argument contains NUL
    from 0, < 7.4.33-1+deb11u5
  • MEDIUM6.5CVE-2024-2756__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
    from 0, < 7.4.33-1+deb11u5
  • MEDIUM6.5CVE-2022-31629$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities
    from 0, < 7.4.33-1+deb11u1
  • MEDIUM6.5CVE-2020-7069Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV
    from 0, < 7.4.11-1
  • MEDIUM6.2CVE-2023-0567password_verify() always returns true for some invalid hashes
    from 0, < 7.4.33-1+deb11u3
  • MEDIUM6.1CVE-2026-6735XSS within PHP-FPM status endpoint
    from 0, < 7.4.33-1+deb11u11
  • MEDIUM5.9CVE-2025-6491NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
    from 0, < 7.4.33-1+deb11u9
  • MEDIUM5.9CVE-2024-2408PHP is vulnerable to the Marvin Attack
    from 0
  • MEDIUM5.9CVE-2021-21704Multiple vulnerabilities in Firebird client extension
    from 0, < 7.4.21-1+deb11u1
  • MEDIUM5.8CVE-2024-8929Leak partial content of the heap through heap buffer over-read in mysqlnd
    from 0, < 7.4.33-1+deb11u7
  • MEDIUM5.5CVE-2022-4900Potential buffer overflow in php_cli_server_startup_workers
    from 0, < 7.4.33-1+deb11u6
  • MEDIUM5.5CVE-2022-4900Potential buffer overflow in php_cli_server_startup_workers
    from 0, < 7.4.33-1+deb11u6
  • MEDIUM5.5CVE-2022-31628phar wrapper can occur dos when using quine gzip file
    from 0, < 7.4.33-1+deb11u1
  • MEDIUM5.5CVE-2022-31628phar wrapper can occur dos when using quine gzip file
    from 0, < 7.4.33-1+deb11u1
  • MEDIUM5.4CVE-2020-7064Use-of-uninitialized-value in exif
    from 0, < 7.4.5-1
  • MEDIUM5.3CVE-2025-1220Null byte termination in hostnames
    from 0, < 7.4.33-1+deb11u9
  • MEDIUM5.3CVE-2025-1220Null byte termination in hostnames
    from 0, < 7.4.33-1+deb11u9
  • MEDIUM5.3CVE-2025-1734Streams HTTP wrapper does not fail for headers with invalid name and no colon
    from 0, < 7.4.33-1+deb11u8
  • MEDIUM5.3CVE-2025-1219libxml streams use wrong content-type header when requesting a redirected resource
    from 0, < 7.4.33-1+deb11u8
  • MEDIUM5.3CVE-2024-8925Erroneous parsing of multipart form data
    from 0, < 7.4.33-1+deb11u6
  • MEDIUM5.3CVE-2024-5458Filter bypass in filter_var (FILTER_VALIDATE_URL)
    from 0, < 7.4.33-1+deb11u6
  • MEDIUM5.3CVE-2021-21707Special characters break path parsing in XML functions
    from 0, < 7.4.28-1+deb11u1
  • MEDIUM5.3CVE-2021-21707Special characters break path parsing in XML functions
    from 0, < 7.4.28-1+deb11u1
  • MEDIUM5.3CVE-2021-21705Incorrect URL validation in FILTER_VALIDATE_URL
    from 0, < 7.4.21-1+deb11u1
  • MEDIUM5.3CVE-2020-7071FILTER_VALIDATE_URL accepts URLs with invalid userinfo
    from 0, < 7.4.14-1
  • MEDIUM5.3CVE-2020-7070PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
    from 0, < 7.4.11-1
  • MEDIUM5.3CVE-2019-11048php7.3 - security update
    from 0, < 7.4.9-1
  • MEDIUM5.3CVE-2020-7063Files added to tar with Phar::buildFromIterator have all-access permissions
    from 0, < 7.4.3-1
  • MEDIUM4.3CVE-2023-3247Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP
    from 0, < 7.4.33-1+deb11u4
  • MEDIUM4.3CVE-2023-3247Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP
    from 0, < 7.4.33-1+deb11u4
  • MEDIUM4.3CVE-2020-7066get_headers() silently truncates after a null byte
    from 0, < 7.4.5-1
  • LOW3.6CVE-2020-7068Use of freed hash key in the phar_parse_zipfile function
    from 0, < 7.4.9-1
  • LOW3.3CVE-2024-9026PHP-FPM logs from children may be altered
    from 0, < 7.4.33-1+deb11u6
  • LOW3.1CVE-2025-1217Header parser of http stream wrapper does not handle folded headers
    from 0, < 7.4.33-1+deb11u8
  • LOW3.1CVE-2025-1217Header parser of http stream wrapper does not handle folded headers
    from 0, < 7.4.33-1+deb11u8