Takayuki Uchiyama

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.42 PHP versions 5.5.x prior to 5.5.26 PHP versions 5.6.x prior to 5.6.10 **Description** The issue allows remote attackers to execute arbitrary OS commands via a crafted string to an application that accepts command-line arguments for a call to the PHP system function. This is due to the escapeshellarg function not properly neutralizing special elements used in the operating system command. **Recommendations** For PHP versions prior to 5.4.42, update to version 5.4.42 or later. For PHP versions 5.5.x prior to 5.5.26, update to version 5.5.26 or later. For PHP versions 5.6.x prior to 5.6.10, update to version 5.6.10 or later.