CVE-2024-8926
- Source
- https://cve.org/CVERecord?id=CVE-2024-8926
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8926.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-8926
- Aliases
-
- BIT-libphp-2024-8926
- BIT-php-2024-8926
- BIT-php-min-2024-8926
- GHSA-p99j-rfp4-xqvq
- Downstream
- Published
- 2024-10-08T03:48:53.628Z
- Modified
- 2026-05-01T04:26:36.521503Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)
- Details
-
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
- Database specific
{ "cna_assigner": "php", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8926.json", "cwe_ids": [ "CWE-78" ] }- References