Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Extended Description
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
CVE vulnerabilities with CWE-98 (1,165)
10.0
CVSS
CRITICAL
CVE-2025-25174
pub. 2025-08-14
10.0
CVSS
CRITICAL
CVE-2012-10025
pub. 2025-08-05
10.0
CVSS
CRITICAL
CVE-2025-52562
pub. 2025-06-23
9.9
CVSS
CRITICAL
CVE-2026-9559
pub. 2026-05-29
9.9
CVSS
CRITICAL
CVE-2026-41228
pub. 2026-04-23
9.9
CVSS
CRITICAL
CVE-2025-31340
pub. 2025-04-17
9.9
CVSS
CRITICAL
CVE-2023-5199
pub. 2023-10-30
9.8
CVSS
CRITICAL
CVE-2026-7515
pub. 2026-06-19
9.8
CVSS
CRITICAL
CVE-2026-27065
pub. 2026-03-19
9.8
CVSS
CRITICAL
CVE-2026-28043
pub. 2026-03-05
9.8
CVSS
CRITICAL
CVE-2026-0926
pub. 2026-02-19
9.8
CVSS
CRITICAL
CVE-2025-14502
pub. 2026-01-14
9.8
CVSS
CRITICAL
CVE-2025-53433
pub. 2025-12-18
9.8
CVSS
CRITICAL
CVE-2025-65656
pub. 2025-12-02
9.8
CVSS
CRITICAL
CVE-2025-63888
pub. 2025-11-20
9.8
CVSS
CRITICAL
CVE-2025-41734
pub. 2025-11-18
9.8
CVSS
CRITICAL
CVE-2025-11023
pub. 2025-10-23
9.8
CVSS
CRITICAL
CVE-2025-7634
pub. 2025-10-09
9.8
CVSS
CRITICAL
CVE-2025-7721
pub. 2025-10-03
9.8
CVSS
CRITICAL
CVE-2025-48293
pub. 2025-08-14
Showing 20 of 1,165 vulnerabilities