In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
References
| Link | Resource |
|---|---|
| https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
19 Aug 2025, 16:26
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | |
| First Time |
Php
Php php |
|
| References | () https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq - Exploit, Vendor Advisory |
24 Apr 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
16 Oct 2024, 18:35
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-78 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| First Time |
Php-fpm php-fpm
Php-fpm |
|
| CPE | cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:* | |
| References | () https://github.com/advisories/GHSA-vxpp-6299-mxw3 - Third Party Advisory |
08 Oct 2024, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-10-08 04:15
Updated : 2025-08-19 16:26
NVD link : CVE-2024-8926
Mitre link : CVE-2024-8926
JSON object : View
Products Affected
php
- php
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')