When does PHP reach end-of-life?

The latest supported PHP release is 8.5.7. After end-of-life a release no longer receives security patches.

PHP ↗

PHP · Web / Runtime

100/100 Healthy

Summary iPlain-English security verdict for PHP, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

PHP currently scores 100/100 — healthy. 3 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2024-4577) — staying on the latest supported version keeps you clear of them. The latest supported release is 8.5.7. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for PHP each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

⚠ 2 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2024-4577 CRITICAL ● exploited ⚠ ransomware OS command injection EPSS 94% → fixed in 8.3.8 CVE-2012-1823 CRITICAL ● exploited Command injection EPSS 94% → fixed in 5.4.2 CVE-2019-11043 HIGH ● exploited ⚠ ransomware Buffer overflow EPSS 94% → fixed in 7.3.11 CVE-2018-19518 HIGH CWE-88 EPSS 94% → see advisory CVE-2018-5712 MEDIUM Cross-site scripting (XSS) EPSS 89% → see advisory CVE-2014-8142 HIGH EPSS 88% → see advisory CVE-2019-6977 HIGH Out-of-bounds write EPSS 88% → fixed in 7.2.14 CVE-2015-0231 HIGH EPSS 87% → see advisory CVE-2011-4885 MEDIUM Improper input validation EPSS 87% → see advisory CVE-2007-1286 MEDIUM EPSS 86% → see advisory CVE-2015-0235 HIGH Out-of-bounds write EPSS 85% → fixed in 5.6.6 CVE-2018-7584 CRITICAL Memory corruption EPSS 83% → fixed in 7.0.28

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each PHP release line is supported — and when it sunsets.

8.5 latest 8.5.7 Supported until 2029-12-31

8.4 latest 8.4.22 Supported until 2028-12-31

8.3 latest 8.3.31 Supported until 2027-12-31

8.2 latest 8.2.31 Supported until 2026-12-31

8.1 latest 8.1.34 End of life ended 2025-12-31

8.0 latest 8.0.30 End of life ended 2023-11-26

7.4 latest 7.4.33 End of life ended 2022-11-28

7.3 latest 7.3.33 End of life ended 2021-12-06

7.2 latest 7.2.34 End of life ended 2020-11-30

7.1 latest 7.1.33 End of life ended 2019-12-01

See all upcoming end-of-life dates →