{"id":"CVE-2024-8926","summary":"PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)","details":"In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.","aliases":["BIT-libphp-2024-8926","BIT-php-2024-8926","BIT-php-min-2024-8926","GHSA-p99j-rfp4-xqvq"],"modified":"2026-05-18T05:56:12.860750754Z","published":"2024-10-08T03:48:53.628Z","database_specific":{"cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8926.json","cna_assigner":"php"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8926.json"},{"type":"ADVISORY","url":"https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8926"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241101-0003/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"d26068059e83fe40de3430a512471d194119bee0"},{"fixed":"b4ecd9aa2edfdff932deb9c09105a9cb3445c3bc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8926.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}