CVE-2015-5161

Zend Framework < 1.12.14, 2.x < 2.4.6, 2.5.x < 2.5.2 - XML External Entity Injection via Multibyte Encoded Characters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-5161. PoCs published by Dawid Golunski.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in eBay Magento's SOAP API when served with PHP FPM. It bypasses sanitization using multibyte encodings to read arbitrary files or cause denial of service.

Description

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Exploits (2)

exploitdb WORKING POC
by Dawid Golunski · textwebappsphp
https://www.exploit-db.com/exploits/38573

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in eBay Magento's SOAP API when served with PHP FPM. It bypasses sanitization using multibyte encodings to read arbitrary files or cause denial of service.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: eBay Magento CE <= 1.9.2.1, EE <= 1.14.2.1
No auth needed
Prerequisites: PHP FPM serving Magento · Access to Magento SOAP API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Dawid Golunski · textwebappsmultiple
https://www.exploit-db.com/exploits/37765

This exploit demonstrates an XXE (XML External Entity) injection vulnerability in Zend Framework when running under PHP-FPM. The PoC bypasses the framework's security controls by using UTF-16 encoding and network access restrictions to read arbitrary files.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Zend Framework <= 2.4.2 and <= 1.12.13
No auth needed
Prerequisites: PHP-FPM environment · Zend Framework application processing XML input
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3340
Vendor Advisory x_refsource_confirm
http://framework.zend.com/security/advisory/ZF2015-06
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76177
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37765/
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Aug/46

Scores

EPSS 0.3909
EPSS Percentile 97.4%

Details

Status published
Products (32)
zend/zend_framework 1.0.0 (5 CPE variants)
zend/zend_framework 1.0.1
zend/zend_framework 1.0.2
zend/zend_framework 1.0.3
zend/zend_framework 1.0.4
zend/zend_framework 1.5.0 rc1 (3 CPE variants)
zend/zend_framework 1.5.1
zend/zend_framework 1.5.2
zend/zend_framework 1.5.3
zend/zend_framework 1.6.0 (4 CPE variants)
... and 22 more
Published Aug 25, 2015
Tracked Since Feb 18, 2026