Description
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
References (2)
Core 2
Core References
Vendor Advisory
https://bugs.php.net/bug.php?id=81740
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230223-0007/
Scores
CVSS v3
9.1
EPSS
0.0057
EPSS Percentile
68.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (1)
php/php
8.0.0 - 8.0.27
Published
Feb 12, 2025
Tracked Since
Feb 18, 2026