Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.

Attackers were able to place malicious code in the PHP central code repository by impersonating key developers, forcing changes to the PHP Group's infrastructure.

One of PHP's strengths is the ability to easily inject variables, values and attributes into HTML code to create dynamic Web pages.

The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute the encryptor payload on ...

This data is modified in such a way to force the TCPDF library to call the PHP server's "phar://" stream wrapper, and later abuse the PHP deserialization process to run code on the underlying server.