Skip to main content

Php Standard Library

1 CVEs product

Monthly

CVE-2026-48979 PHP HIGH PATCH GHSA This Week

HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.

PHP Request Smuggling Information Disclosure Php Standard Library Php Standard Library H2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.

PHP Request Smuggling Information Disclosure +2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy