CVE-2024-8926
HIGHPHP 8.1.0-8.1.29 - OS Command Injection via Windows Codepage Configuration Bypass
Title source: llmDescription
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
References (2)
Core 2
Core References
Exploit, Vendor Advisory
https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241101-0003/
Scores
CVSS v3
8.1
EPSS
0.0271
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
php/php
8.1.0 - 8.1.30
Published
Oct 08, 2024
Tracked Since
Feb 18, 2026