**Name of the Vulnerable Software and Affected Versions** PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The `DOMNode::C14N()` method may process XML data incorrectly, leading to the creation of a circular linked list within the data structure that represents the XML document. This flaw can cause subsequent processing of the document to enter an infinite loop, resulting in a denial of service for the application. **Recommendations** Update PHP version 8.4.x to 8.4.21. Update PHP version 8.5.x to 8.5.6. As a temporary workaround, restrict the use of the `DOMNode::C14N()` method when processing untrusted XML data.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The PDO Firebird driver improperly handles NUL bytes during the preparation of SQL queries. When constructing queries token-by-token, a string token containing a NUL byte is processed using the `strncat()` function, which terminates at the NUL byte. This action drops the closing quote, causing subsequent SQL tokens to be interpreted as part of the string. This behavior enables SQL injection when attacker-controlled values are quoted using the `PDO::quote()` function and embedded in SQL statements. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** Lexbor versions prior to 2.7.0 **Description** Lexbor is a web browser engine library. Before version 2.7.0, the ISO‑2022‑JP encoder in Lexbor does not reset the temporary size variable between iterations. The statement `ctx->buffer used -= size` with an outdated size of 3 causes an integer underflow that wraps to SIZE MAX. Subsequently, `memcpy` is called with a negative length, resulting in an out-of-bounds read from the stack and an out-of-bounds write to the heap. The source data is partially controllable through the contents of the DOM tree. **Recommendations** Versions prior to 2.7.0 should be updated to version 2.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Lexbor versions prior to 2.7.0 **Description** Lexbor is a web browser engine library. A type-confusion issue exists in Lexbor’s HTML fragment parser. When `ns` is UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the `qualified name` field. This corrupted value is later used as a pointer and dereferenced. **Recommendations** Update to Lexbor version 2.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 8.1.34 PHP versions prior to 8.2.30 PHP versions prior to 8.3.29 PHP versions prior to 8.4.16 PHP versions prior to 8.5.1 **Description** A bug in the `php read stream all chunks()` function allows for the disclosure of sensitive heap memory. This occurs when the `getimagesize()` function reads images in multi-chunk mode, such as through `php://filter` streams, because the buffer is overwritten without advancing the pointer, leaving tail bytes uninitialized. This can leak uninitialized heap memory into APPn segments (e.g., APP1). The issue is triggered when an attacker controls the stream chunk size and crafts a JPEG with a large APP1 segment spanning multiple read chunks. **Recommendations** Update to version 8.1.34 or later. Update to version 8.2.30 or later. Update to version 8.3.29 or later. Update to version 8.4.16 or later. Update to version 8.5.1 or later. As a temporary workaround, restrict the use of the `getimagesize()` function on untrusted JPEG files, especially those processed via `php://filter` streams.

**Name of the Vulnerable Software and Affected Versions** libxml2 (affected versions not specified) **Description** A NULL pointer dereference issue was discovered in libxml2 when processing XPath XML expressions. This allows an attacker to create malicious XML input, resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxml2 (affected versions not specified) **Description** A memory corruption issue can be triggered in libxml2 by processing certain sch:name elements from an input XML file. This allows an attacker to craft a malicious XML input file, potentially leading to a denial of service or other undefined behavior due to sensitive data corruption in memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxml2 versions (affected versions not specified) **Description** A use-after-free issue was found in libxml2, occurring when parsing XPath elements under certain circumstances, specifically when the XML schematron contains the "sch:name path" schema elements. This allows a malicious actor to craft a malicious XML document, potentially causing the program to crash or resulting in undefined behaviors. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libxml2 versions prior to 2.9.15 Description: An uncontrolled recursion issue in XPath evaluation within libxml2 allows a local attacker to cause a stack overflow through crafted expressions. The XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` previously reset recursion depth to zero before making potentially recursive calls, enabling uncontrolled recursion and a potential stack overflow when called recursively. These functions now preserve recursion depth across recursive calls, allowing for controlled recursion. Recommendations: Update to libxml2 version 2.9.15 or later.