CVE-2024-8926

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 08 Oct 2024, 03:48
Last modified:03 Nov 2025, 22:33

Vulnerability Summary

Overall Risk (default)
medium
46/100
CVSS Score
8.8 HIGH
v3.1 (nvd)
EPSS Score
2.71% LOW
3% probability +1.05%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

08 Oct 2024, 03:48
Published
Vulnerability first disclosed
03 Nov 2025, 22:33
Last Modified
Vulnerability information updated

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS Metrics

  • v3.1HIGHScore: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 2.71% Percentile: 86%

Techniques & Countermeasures

  • CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

  • UnknownPHP

    ≥ 8.1.*, < 8.1.30 | ≥ 8.2.*, < 8.2.24 | ≥ 8.3.*, < 8.3.12

  • UnknownPHP

    ≥ 8.1.0, < 8.1.30 | ≥ 8.2.0, < 8.2.24 | ≥ 8.3.0, < 8.3.12

References (2)