CVE-2025-14179CRITICAL 9.8EPSS p17.2%

CVE-2025-14179CVE-2025-14179

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 17.2% · 2026-06-18T12:00:27Z
Published2026-05-10
Last modified2026-05-12

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-23176
CVE
CVE-2025-1094
CVE
CVE-2025-47599
CVE
CVE-2025-46337
CVE
CVE-2025-10969
CVE
CVE-2026-10879
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.