PT-2024-6535 · Php+2 · Php+2

Published

2019-06-02

Updated

2025-08-11

CVE-2024-8926

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* through 8.1.29 PHP versions 8.2.* through 8.2.23 PHP versions 8.3.* through 8.3.11

Description: The issue exists due to the failure to neutralize special elements in the PHP interpreter. This may allow a malicious user to pass options to the PHP binary being run, potentially revealing the source code of scripts or running arbitrary PHP code on the server. The problem is related to the Windows "Best Fit" codepage behavior when using certain non-standard configurations of Windows codepages.

Recommendations: For PHP versions 8.1.* through 8.1.29, update to version 8.1.30 or later. For PHP versions 8.2.* through 8.2.23, update to version 8.2.24 or later. For PHP versions 8.3.* through 8.3.11, update to version 8.3.12 or later. As a temporary workaround, consider restricting the use of non-standard Windows codepage configurations to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2019-1959

ALT-PU-2021-2943

ALT-PU-2021-3079

ALT-PU-2023-1275

ALT-PU-2023-4125

ALT-PU-2024-13449

ALT-PU-2024-13465

ALT-PU-2024-13522

ALT-PU-2024-13710

ALT-PU-2024-13711

ALT-PU-2024-13731

ALT-PU-2024-16480

ALT-PU-2024-6670

BDU:2024-07677

BIT-LIBPHP-2024-8926

BIT-PHP-2024-8926

BIT-PHP-MIN-2024-8926

CVE-2024-8926

DSA-5780-1

GHSA-P99J-RFP4-XQVQ

GHSA-VXPP-6299-MXW3

OESA-2024-2248

Affected Products

Alt Linux

Php

Red Os

PT-2024-6535 · Php+2 · Php+2

CVE-2024-8926

Weakness Enumeration

Related Identifiers

Affected Products

References · 63