CVE-2024-8926 HIGH

CVE-2024-8926: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

Vendor Php Group

Product PHP

Weakness CWE-78

Published October 8, 2024

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Key dates

02Disclosure timeline

October 8, 2024 CVE published

November 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-8926

Related vulnerabilities

Identifiers

CVE CVE-2024-8926

CWE CWE-78

CVSS 8.1 / HIGH

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.1.* and < 8.1.30

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.24

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.12

CVE-2024-8926: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

01Description

02Disclosure timeline

03References

04Related CVE