products / php

PHP

PHP powers a large share of the web. NVD tracks cpe:2.3:a:php:php with extremely deep historical coverage on 7.x and 8.x. CVE-2024-4577 (CISA KEV) is a canonical exploited-in-the-wild reference for CGI deployments on Windows.

api usage

Querying PHP

product slugphp

version format8.1.18, 8.3.14, semver

bash

curl "https://api.attestd.io/v1/check?product=php&version=8.1.18" \
  -H "Authorization: Bearer $ATTESTD_KEY"

json

{
  "product": "php",
  "version": "8.1.18",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "remote_code_execution",
    "active_exploitation",
    "patch_available",
    "internet_exposed_service"
  ],
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "8.1.29",
  "confidence": 0.92,
  "cve_ids": ["CVE-2024-4577", "CVE-2024-2408"],
  "last_updated": "2026-05-13T18:00:00Z",
  "supply_chain": null
}

safe version

bash

curl "https://api.attestd.io/v1/check?product=php&version=8.3.14" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

CVE	Description	CVSS
`CVE-2024-4577`	Argument injection on Windows via CGI parameter bypass (CISA KEV, CVSS 9.8).	9.8
`CVE-2024-2408`	Timing side-channel in bcrypt password verification.	5.9

All products Apache HTTP Server NGINX Response Field Reference