PHP vulnerabilities: known CVEs & security history
PHP · Web / Runtime · 743 tracked CVEs · 3 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all PHP release lines — 743 in total, with 3 actively exploited in the wild. A CVE here doesn't mean your version is affected — check PHP's current status and the safe version to run.
Known PHP CVEs
Actively-exploited and most-severe first. Showing the top 80 of 743. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2024-4577⚡ exploited | critical | 9.8 | 100% | 2024 |
| CVE-2012-1823⚡ exploited | critical | 9.8 | 100% | 2012 |
| CVE-2019-11043⚡ exploited | high | 8.7 | 99% | 2019 |
| CVE-2026-7261 | critical | 9.8 | 0% | 2026 |
| CVE-2026-6722 | critical | 9.8 | 1% | 2026 |
| CVE-2025-14179 | critical | 9.8 | 0% | 2026 |
| CVE-2025-1861 | critical | 9.8 | 1% | 2025 |
| CVE-2024-11236 | critical | 9.8 | 2% | 2024 |
| CVE-2024-8932 | critical | 9.8 | 1% | 2024 |
| CVE-2024-3566 | critical | 9.8 | 7% | 2024 |
| CVE-2022-37454 | critical | 9.8 | 5% | 2022 |
| CVE-2014-3622 | critical | 9.8 | 3% | 2020 |
| CVE-2011-1939 | critical | 9.8 | 4% | 2019 |
| CVE-2019-13224 | critical | 9.8 | 4% | 2019 |
| CVE-2019-9641 | critical | 9.8 | 9% | 2019 |
| CVE-2019-9025 | critical | 9.8 | 3% | 2019 |
| CVE-2019-9023 | critical | 9.8 | 9% | 2019 |
| CVE-2019-9021 | critical | 9.8 | 10% | 2019 |
| CVE-2019-9020 | critical | 9.8 | 10% | 2019 |
| CVE-2017-9120 | critical | 9.8 | 8% | 2018 |
| CVE-2018-11756 | critical | 9.8 | 8% | 2018 |
| CVE-2018-12882 | critical | 9.8 | 7% | 2018 |
| CVE-2018-7584 | critical | 9.8 | 88% | 2018 |
| CVE-2017-12868 | critical | 9.8 | 2% | 2017 |
| CVE-2017-12933 | critical | 9.8 | 7% | 2017 |
| CVE-2017-12932 | critical | 9.8 | 7% | 2017 |
| CVE-2017-11362 | critical | 9.8 | 3% | 2017 |
| CVE-2016-4473 | critical | 9.8 | 8% | 2017 |
| CVE-2017-9228 | critical | 9.8 | 6% | 2017 |
| CVE-2017-9227 | critical | 9.8 | 6% | 2017 |
| CVE-2017-9226 | critical | 9.8 | 8% | 2017 |
| CVE-2017-9225 | critical | 9.8 | 3% | 2017 |
| CVE-2017-9224 | critical | 9.8 | 7% | 2017 |
| CVE-2017-9119 | critical | 9.8 | 4% | 2017 |
| CVE-2017-8923 | critical | 9.8 | 7% | 2017 |
| CVE-2016-10160 | critical | 9.8 | 7% | 2017 |
| CVE-2016-7479 | critical | 9.8 | 42% | 2017 |
| CVE-2016-7480 | critical | 9.8 | 42% | 2017 |
| CVE-2017-5340 | critical | 9.8 | 17% | 2017 |
| CVE-2016-9936 | critical | 9.8 | 4% | 2017 |
| CVE-2016-9935 | critical | 9.8 | 7% | 2017 |
| CVE-2016-9138 | critical | 9.8 | 4% | 2017 |
| CVE-2016-9137 | critical | 9.8 | 5% | 2017 |
| CVE-2016-8670 | critical | 9.8 | 5% | 2017 |
| CVE-2014-9912 | critical | 9.8 | 5% | 2017 |
| CVE-2016-7405 | critical | 9.8 | 3% | 2016 |
| CVE-2016-7568 | critical | 9.8 | 5% | 2016 |
| CVE-2016-7417 | critical | 9.8 | 7% | 2016 |
| CVE-2016-7414 | critical | 9.8 | 7% | 2016 |
| CVE-2016-7413 | critical | 9.8 | 7% | 2016 |
| CVE-2016-7411 | critical | 9.8 | 6% | 2016 |
| CVE-2016-7134 | critical | 9.8 | 5% | 2016 |
| CVE-2016-7129 | critical | 9.8 | 7% | 2016 |
| CVE-2016-7127 | critical | 9.8 | 7% | 2016 |
| CVE-2016-7126 | critical | 9.8 | 9% | 2016 |
| CVE-2016-7124 | critical | 9.8 | 17% | 2016 |
| CVE-2016-5773 | critical | 9.8 | 9% | 2016 |
| CVE-2016-5772 | critical | 9.8 | 10% | 2016 |
| CVE-2016-5771 | critical | 9.8 | 15% | 2016 |
| CVE-2016-5770 | critical | 9.8 | 7% | 2016 |
| CVE-2016-5769 | critical | 9.8 | 8% | 2016 |
| CVE-2016-5768 | critical | 9.8 | 10% | 2016 |
| CVE-2016-3132 | critical | 9.8 | 12% | 2016 |
| CVE-2016-3078 | critical | 9.8 | 58% | 2016 |
| CVE-2016-6296 | critical | 9.8 | 6% | 2016 |
| CVE-2016-6295 | critical | 9.8 | 5% | 2016 |
| CVE-2016-6294 | critical | 9.8 | 6% | 2016 |
| CVE-2016-6291 | critical | 9.8 | 6% | 2016 |
| CVE-2016-6290 | critical | 9.8 | 5% | 2016 |
| CVE-2016-6288 | critical | 9.8 | 5% | 2016 |
| CVE-2016-4544 | critical | 9.8 | 7% | 2016 |
| CVE-2016-4543 | critical | 9.8 | 12% | 2016 |
| CVE-2016-4542 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4541 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4540 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4539 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4538 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4537 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4346 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4345 | critical | 9.8 | 5% | 2016 |
663 older / lower-severity CVEs not shown — see PHP's full record.
Is my PHP version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your PHP version → · Monitor PHP for new CVEs →
PHP vulnerabilities — frequently asked
How many known vulnerabilities does PHP have?
IsItPatched tracks 743 CVEs for PHP, 3 of which are actively exploited (CISA KEV). 127 are critical-severity and 277 high-severity. These span every release line — what matters is whether the version you run is affected.
Does PHP have any actively-exploited vulnerabilities?
Yes — 3 PHP CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild (2 linked to ransomware). Patch these as a priority.
What is the most severe PHP vulnerability?
Among tracked issues, CVE-2024-4577 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a OS command injection weakness.
Is PHP safe to use?
It depends on the version. The latest supported PHP release (8.5.7) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: PHP security status · PHP end-of-life · actively-exploited CVEs. Always verify against PHP's advisories — see our disclaimer.