greprules.io
Sign inSubmit rule
IndexedVerified

PHP Security

PHP SAST rules aggregated across verified providers.

Fetch pack

greprules pack fetch php-security --engine opengrep
curl https://api.greprules.io/api/packs/php-security.tar.gz -o php-security.tar.gz
Total rules
165
Downloads
0
Last updated
2026-06-05
Languages
php

Included rules

CVE-2024-47071: Generic Path Traversal Via Requestcve-2024-47071-generic-path-traversal-via-requestCVE-2024-55878: Simplexlsxex Missing Sanitizationcve-2024-55878-simplexlsxex-missing-sanitizationCVE-2025-27794: Php Illuminate Session Fixationcve-2025-27794-php-illuminate-session-fixationCVE-2025-32015: Simplepie Missing Srcdoc Stripcve-2025-32015-simplepie-missing-srcdoc-stripCVE-2025-62166: Freshrss Cve 2025 62166 Auth Bypasscve-2025-62166-freshrss-cve-2025-62166-auth-bypassCVE-2025-68129: Auth0 Clientid Audience Bypasscve-2025-68129-auth0-clientid-audience-bypassCVE-2025-68437: Php Ssrf Missing Ip Validationcve-2025-68437-php-ssrf-missing-ip-validationCVE-2025-7504: Php Unserialize Object Injectioncve-2025-7504-php-unserialize-object-injectionCVE-2025-7670: Wpdb Unprepared Object Propertycve-2025-7670-wpdb-unprepared-object-propertyCVE-2026-1781: Form Listener Php Cwe 000 Cve 2026 1781cve-2026-1781-form-listener-php-cwe-000-cve-2026-1781CVE-2026-25231: Models Foldermodel Php Cwe 000 Cve 2026 25231cve-2026-25231-models-foldermodel-php-cwe-000-cve-2026-25231CVE-2026-27181: Majordomo Unauth Mode Assignmentcve-2026-27181-majordomo-unauth-mode-assignmentCVE-2026-28696: Craftcms Assetbundle Cpexposurecve-2026-28696-craftcms-assetbundle-cpexposureCVE-2026-28781: Craftcms Query Configure Sqlicve-2026-28781-craftcms-query-configure-sqliCVE-2026-32812: Insufficient Url Validation Ssrfcve-2026-32812-insufficient-url-validation-ssrfCVE-2026-33158: Craftcms Query Configure Injectioncve-2026-33158-craftcms-query-configure-injectionCVE-2026-33159: Craftcms Query Mass Assignmentcve-2026-33159-craftcms-query-mass-assignmentCVE-2026-33162: Craftcms Query Criteria Sqlicve-2026-33162-craftcms-query-criteria-sqliCVE-2026-41658: Php Superglobal Mass Assignmentcve-2026-41658-php-superglobal-mass-assignmentCVE-2026-42610: Php Iterable Config Command Injectioncve-2026-42610-php-iterable-config-command-injectionCVE-2018-25270: Php Http Method Override Dynamic Call Without Whitelistcve-2018-25270-php-http-method-override-dynamic-call-without-whitelistCVE-2020-37012: Php Latex Shell Escape Rcecve-2020-37012-php-latex-shell-escape-rceCVE-2020-37123: Php Unsanitized Superglobal Into Shell Execcve-2020-37123-php-unsanitized-superglobal-into-shell-execCVE-2020-37237: Php Orderby Whitelist Guarded By Array Key Existscve-2020-37237-php-orderby-whitelist-guarded-by-array-key-existsCVE-2021-27915: Php Recursive Reference Pass By Valuecve-2021-27915-php-recursive-reference-pass-by-valueCVE-2021-47976: Php Unrestricted Upload User Filename As Destinationcve-2021-47976-php-unrestricted-upload-user-filename-as-destinationCVE-2023-38048: Codeigniter Order By Sql Injection Via Escapecve-2023-38048-codeigniter-order-by-sql-injection-via-escapeCVE-2023-38049: Codeigniter Order By Escape Sqlicve-2023-38049-codeigniter-order-by-escape-sqliCVE-2023-38053: Codeigniter Order By Escape Sql Injectioncve-2023-38053-codeigniter-order-by-escape-sql-injectionCVE-2023-38054: Easyappointments Order By Escape Sql Injectioncve-2023-38054-easyappointments-order-by-escape-sql-injectionCVE-2023-52044: Php Mime Blocklist Missing Php8 Php9cve-2023-52044-php-mime-blocklist-missing-php8-php9CVE-2024-0916: Php Uvdesk Uploadfile Rename Defaults Falsecve-2024-0916-php-uvdesk-uploadfile-rename-defaults-falseCVE-2024-21549: Php Spatie Browsershot View Source Bypasscve-2024-21549-php-spatie-browsershot-view-source-bypassCVE-2024-25625: Symfony Implicit Host Out Of Band Urlcve-2024-25625-symfony-implicit-host-out-of-band-urlCVE-2024-29184: Overly Strict Realpath Traversal Checkcve-2024-29184-overly-strict-realpath-traversal-checkCVE-2024-29895: Php Server Argv To Shell Exec Without Castcve-2024-29895-php-server-argv-to-shell-exec-without-castCVE-2024-30247: Php Exec User Input Concatenationcve-2024-30247-php-exec-user-input-concatenationCVE-2024-34697: Laravel Sanitize Rendered Viewcve-2024-34697-laravel-sanitize-rendered-viewCVE-2024-36399: Kanboard Idor Authorized Project Overridecve-2024-36399-kanboard-idor-authorized-project-overrideCVE-2024-4023: Php Insecure Addslashes On Superglobalcve-2024-4023-php-insecure-addslashes-on-superglobalCVE-2024-41637: Php Tainted Putenvcve-2024-41637-php-tainted-putenvCVE-2024-41802: Xibo Dataset Filter Sqlicve-2024-41802-xibo-dataset-filter-sqliCVE-2024-44373: Php Unauthenticated File Write Post Pathcve-2024-44373-php-unauthenticated-file-write-post-pathCVE-2024-45398: Tl Templates Php Cwe 502 Cve 2024 45398cve-2024-45398-tl-templates-php-cwe-502-cve-2024-45398CVE-2024-45411: Twig Missing Sandbox Check Before Rendercve-2024-45411-twig-missing-sandbox-check-before-renderCVE-2024-47053: Php Recursive Sanitization By Value Bypasscve-2024-47053-php-recursive-sanitization-by-value-bypassCVE-2024-47782: Mediawiki Tablepager Unescaped Formatvaluecve-2024-47782-mediawiki-tablepager-unescaped-formatvalueCVE-2024-48138: Pluxml Template Editor Arbitrary File Write Rcecve-2024-48138-pluxml-template-editor-arbitrary-file-write-rceCVE-2024-48253: Codeigniter Xss Clean Misused As Sql Sanitizercve-2024-48253-codeigniter-xss-clean-misused-as-sql-sanitizerCVE-2024-48255: Codeigniter Xss Clean As Sql Sanitizer Injectioncve-2024-48255-codeigniter-xss-clean-as-sql-sanitizer-injectionCVE-2024-48257: Php Sql Limit Clause Concat Injectioncve-2024-48257-php-sql-limit-clause-concat-injectionCVE-2024-51051: Php Hardcoded Default Admin Credentialscve-2024-51051-php-hardcoded-default-admin-credentialsCVE-2024-52291: Craftcms Sensitive Configuration Exposurecve-2024-52291-craftcms-sensitive-configuration-exposureCVE-2024-52292: Craftcms Cpasset Info Disclosurecve-2024-52292-craftcms-cpasset-info-disclosureCVE-2024-52806: Php Xml Dtdload Xxecve-2024-52806-php-xml-dtdload-xxeCVE-2024-53850: Glpi Plugin Missing Checkloginusercve-2024-53850-glpi-plugin-missing-checkloginuserCVE-2024-5407: Php Incomplete Pipe Path Traversal Sanitizercve-2024-5407-php-incomplete-pipe-path-traversal-sanitizerCVE-2024-54135: Php Unserialize User Inputcve-2024-54135-php-unserialize-user-inputCVE-2024-56521: Php Curl Ssl Verification Disabledcve-2024-56521-php-curl-ssl-verification-disabledCVE-2024-56801: Glpi Php Sql Injection Superglobal Into Db Querycve-2024-56801-glpi-php-sql-injection-superglobal-into-db-queryCVE-2024-5685: Validation Before Authorization Enumerationcve-2024-5685-validation-before-authorization-enumerationCVE-2025-1022: Php Url Denylist Bypasscve-2025-1022-php-url-denylist-bypassCVE-2025-1026: Url Validation Bypass Via Malformed Schemecve-2025-1026-url-validation-bypass-via-malformed-schemeCVE-2025-12352: Php Copy Url To Path Replace Without Local Checkcve-2025-12352-php-copy-url-to-path-replace-without-local-checkCVE-2025-14894: Livewire Updated Files Missing Validationcve-2025-14894-livewire-updated-files-missing-validationCVE-2025-21624: Php Unrestricted File Upload User Extensioncve-2025-21624-php-unrestricted-file-upload-user-extensionCVE-2025-22144: Php Reset Code Empty String Sentinelcve-2025-22144-php-reset-code-empty-string-sentinelCVE-2025-23209: Craftcms Unvalidated Db Restorecve-2025-23209-craftcms-unvalidated-db-restoreCVE-2025-23218: Php Pdo Query Sql Injection From Superglobalcve-2025-23218-php-pdo-query-sql-injection-from-superglobalCVE-2025-23219: Php Pdo Query Sqli From User Inputcve-2025-23219-php-pdo-query-sqli-from-user-inputCVE-2025-23220: Php Pdo Query Sql Injection From Superglobalcve-2025-23220-php-pdo-query-sql-injection-from-superglobalCVE-2025-25206: Mfa Enforcement Restricted To Local Authcve-2025-25206-mfa-enforcement-restricted-to-local-authCVE-2025-26606: Php Pdo Query Interpolated String Sqlicve-2025-26606-php-pdo-query-interpolated-string-sqliCVE-2025-26607: Php Pdo Query Sql Injection From Superglobalcve-2025-26607-php-pdo-query-sql-injection-from-superglobalCVE-2025-26608: Php Extract On Request Superglobalcve-2025-26608-php-extract-on-request-superglobalCVE-2025-26611: Php Extract Request Superglobalcve-2025-26611-php-extract-request-superglobalCVE-2025-26617: Php Pdo Mysqli Query Superglobal Sqlicve-2025-26617-php-pdo-mysqli-query-superglobal-sqliCVE-2025-27515: Laravel Validator Static Asterisk Placeholder Cve 2025 27515cve-2025-27515-laravel-validator-static-asterisk-placeholder-cve-2025-27515CVE-2025-27773: Saml Improper Reencoding Signature Bypasscve-2025-27773-saml-improper-reencoding-signature-bypassCVE-2025-30361: Php Weak Password Verification Sha256 Equalitycve-2025-30361-php-weak-password-verification-sha256-equalityCVE-2025-30364: Php Pdo Query String Interpolation Sqlicve-2025-30364-php-pdo-query-string-interpolation-sqliCVE-2025-32461: Tiki Wiki Get Page Info Missing Edit Checkcve-2025-32461-tiki-wiki-get-page-info-missing-edit-checkCVE-2025-32956: Mediawiki Htmlform Options Xsscve-2025-32956-mediawiki-htmlform-options-xssCVE-2025-46337: Php Pgsql Identifier Injection Via Pg Querycve-2025-46337-php-pgsql-identifier-injection-via-pg-queryCVE-2025-46347: Yeswiki Add Css Preset Missing Extension Allowlistcve-2025-46347-yeswiki-add-css-preset-missing-extension-allowlistCVE-2025-46348: Yeswiki Route Acl Public Mixed With Restrictioncve-2025-46348-yeswiki-route-acl-public-mixed-with-restrictionCVE-2025-47784: Php Unserialize After Str Replace Prefix Stripcve-2025-47784-php-unserialize-after-str-replace-prefix-stripCVE-2025-47787: Php Incomplete Php Extension Blocklistcve-2025-47787-php-incomplete-php-extension-blocklistCVE-2025-48477: Overly Restrictive Realpath Traversal Validationcve-2025-48477-overly-restrictive-realpath-traversal-validationCVE-2025-48481: Php Freescout Invite Hash Lookup Without Expirationcve-2025-48481-php-freescout-invite-hash-lookup-without-expirationCVE-2025-49132: Laravel Translation Loader Path Traversal Unvalidated Inputcve-2025-49132-laravel-translation-loader-path-traversal-unvalidated-inputCVE-2025-52474: Php Extract Request Superglobalcve-2025-52474-php-extract-request-superglobalCVE-2025-52560: Picodb Unvalidated Table Identifiercve-2025-52560-picodb-unvalidated-table-identifierCVE-2025-52562: Cve 2025 52562 Laravel Translation Loader Path Traversalcve-2025-52562-cve-2025-52562-laravel-translation-loader-path-traversalCVE-2025-52998: Php Phar Prefix Check Case Sensitivecve-2025-52998-php-phar-prefix-check-case-sensitiveCVE-2025-53093: Mediawiki Unsafe Safeencodetagattributes Templatecve-2025-53093-mediawiki-unsafe-safeencodetagattributes-templateCVE-2025-53370: Mediawiki Unescaped Shortdesc Propertycve-2025-53370-mediawiki-unescaped-shortdesc-propertyCVE-2025-53527: Php Sql Where Clause Concat Injectioncve-2025-53527-php-sql-where-clause-concat-injectionCVE-2025-54068: Livewire Hydrate For Update Recursive Tuple Hydratecve-2025-54068-livewire-hydrate-for-update-recursive-tuple-hydrateCVE-2025-54418: Php Shell Cmd Quoted Interpolation Without Escapeshellargcve-2025-54418-php-shell-cmd-quoted-interpolation-without-escapeshellargCVE-2025-54592: Php Logout Missing Session Invalidationcve-2025-54592-php-logout-missing-session-invalidationCVE-2025-54875: Freshrss Unprotected New User Is Admin Paramcve-2025-54875-freshrss-unprotected-new-user-is-admin-paramCVE-2025-55167: Php Pdo Query Sql Injection From Superglobalcve-2025-55167-php-pdo-query-sql-injection-from-superglobalCVE-2025-61597: Phpmailer Hardcoded Smtpsecure Sslcve-2025-61597-phpmailer-hardcoded-smtpsecure-sslCVE-2025-61605: Php Unsanitized Request Param In Location Redirect Sqlicve-2025-61605-php-unsanitized-request-param-in-location-redirect-sqliCVE-2025-63414: Php User Input Shell Exec Without Escapeshellargcve-2025-63414-php-user-input-shell-exec-without-escapeshellargCVE-2025-66384: Php Is Uploaded File Precedence Bypasscve-2025-66384-php-is-uploaded-file-precedence-bypassCVE-2025-67084: Php Upload Missing Extension Allowlistcve-2025-67084-php-upload-missing-extension-allowlistCVE-2025-68932: Php Weak Prng Token Hashcve-2025-68932-php-weak-prng-token-hashCVE-2026-0859: Php Unserialize Allowedclasses Bypasscve-2026-0859-php-unserialize-allowedclasses-bypassCVE-2026-21446: Php Laravel Ajax Bypass Security Guardcve-2026-21446-php-laravel-ajax-bypass-security-guardCVE-2026-22850: Unvalidated Bulk Sql Import Executioncve-2026-22850-unvalidated-bulk-sql-import-executionCVE-2026-23524: Php Unserialize Without Allowed Classescve-2026-23524-php-unserialize-without-allowed-classesCVE-2026-2469: Php Imap Unescaped Id Injectioncve-2026-2469-php-imap-unescaped-id-injectionCVE-2026-24749: CVE 2026 24749 Silverstripe Assets Grant True Defaultcve-2026-24749-cve-2026-24749-silverstripe-assets-grant-true-defaultCVE-2026-24898: Unauthenticated Api Login Response Disclosurecve-2026-24898-unauthenticated-api-login-response-disclosureCVE-2026-25924: Controller Plugincontroller Php Cwe 000 Cve 2026 25924cve-2026-25924-controller-plugincontroller-php-cwe-000-cve-2026-25924CVE-2026-27591: Winter Form Context User Controlled Overridecve-2026-27591-winter-form-context-user-controlled-overrideCVE-2026-27833: Piwigo History Search Missing Authcve-2026-27833-piwigo-history-search-missing-authCVE-2026-28409: Php Shell Exec Unsanitized User Inputcve-2026-28409-php-shell-exec-unsanitized-user-inputCVE-2026-29058: Php Command Injection Untrusted Input Shell Execcve-2026-29058-php-command-injection-untrusted-input-shell-execCVE-2026-29789: Php Workflow Action Missing Authorize On Foreign Modelcve-2026-29789-php-workflow-action-missing-authorize-on-foreign-modelCVE-2026-30849: Mantisbt Soap Mci Check Login Untyped Credential Paramscve-2026-30849-mantisbt-soap-mci-check-login-untyped-credential-paramsCVE-2026-30919: Php Insecure Htmlspecialchars Noquotescve-2026-30919-php-insecure-htmlspecialchars-noquotesCVE-2026-31940: User Controlled Session Idcve-2026-31940-user-controlled-session-idCVE-2026-31952: Incomplete Sql Keyword Blocklist Bypasscve-2026-31952-incomplete-sql-keyword-blocklist-bypassCVE-2026-32300: Laravel Idor Profile Updatecve-2026-32300-laravel-idor-profile-updateCVE-2026-32313: Php Openssl Decrypt Unvalidated Tag Lengthcve-2026-32313-php-openssl-decrypt-unvalidated-tag-lengthCVE-2026-32616: Php Host Header Injection Email Linkcve-2026-32616-php-host-header-injection-email-linkCVE-2026-33182: Php Url Join Absolute Overridecve-2026-33182-php-url-join-absolute-overrideCVE-2026-33656: Php Attachment Getsourceid Path No Basenamecve-2026-33656-php-attachment-getsourceid-path-no-basenameCVE-2026-33661: Psr7 Host Header Localhost Bypasscve-2026-33661-psr7-host-header-localhost-bypassCVE-2026-33746: Lcobucci Jwt Validate Without Signedwithcve-2026-33746-lcobucci-jwt-validate-without-signedwithCVE-2026-33942: Php Unserialize Allowed Classes Truecve-2026-33942-php-unserialize-allowed-classes-trueCVE-2026-34236: Configuration Sdkconfiguration Php Cwe 000 Cve 2026 34236cve-2026-34236-configuration-sdkconfiguration-php-cwe-000-cve-2026-34236CVE-2026-34415: Incomplete Php Extension Denylist Regex Php Glob Misusecve-2026-34415-incomplete-php-extension-denylist-regex-php-glob-misuseCVE-2026-35047: Php Laravel Unrestricted File Upload To Public Pathcve-2026-35047-php-laravel-unrestricted-file-upload-to-public-pathCVE-2026-35178: Php Create Function Code Injectioncve-2026-35178-php-create-function-code-injectionCVE-2026-35184: Php Switch Default Unsanitized Passthrough Sqlicve-2026-35184-php-switch-default-unsanitized-passthrough-sqliCVE-2026-37709: Laravel Write Method With Read Only Authorizationcve-2026-37709-laravel-write-method-with-read-only-authorizationCVE-2026-38992: Php Sqlite Jsonpath Unsanitized Field Concatenationcve-2026-38992-php-sqlite-jsonpath-unsanitized-field-concatenationCVE-2026-39355: Php Laravel Controller Ownership Reassignment Without Authorizationcve-2026-39355-php-laravel-controller-ownership-reassignment-without-authorizationCVE-2026-39912: Php Magic Link Token Leak In Responsecve-2026-39912-php-magic-link-token-leak-in-responseCVE-2026-39962: Php Ldap Injection Unescaped Superglobal In Filtercve-2026-39962-php-ldap-injection-unescaped-superglobal-in-filterCVE-2026-40497: Missing Style In Html Denylistcve-2026-40497-missing-style-in-html-denylistCVE-2026-40498: Php Laravel Md5 App Key Auth Tokencve-2026-40498-php-laravel-md5-app-key-auth-tokenCVE-2026-40569: Php Laravel Mass Assignment Request All Into Fillcve-2026-40569-php-laravel-mass-assignment-request-all-into-fillCVE-2026-41193: Php Zip Slip Extract Without Path Containmentcve-2026-41193-php-zip-slip-extract-without-path-containmentCVE-2026-41228: Php Lfi Sprintf Path Require No Traversal Guardcve-2026-41228-php-lfi-sprintf-path-require-no-traversal-guardCVE-2026-41231: Froxlor Makecorrectdir Missing Fixed Homedircve-2026-41231-froxlor-makecorrectdir-missing-fixed-homedirCVE-2026-41247: Php Imagemagick Cli Sprintf Shell Injectioncve-2026-41247-php-imagemagick-cli-sprintf-shell-injectionCVE-2026-41524: Php Stored Xss Unsanitized Html Model Contentcve-2026-41524-php-stored-xss-unsanitized-html-model-contentCVE-2026-41904: Overly Strict Realpath Validation Doscve-2026-41904-overly-strict-realpath-validation-dosCVE-2026-4248: Wp Um Hardcoded Usermeta Blacklistcve-2026-4248-wp-um-hardcoded-usermeta-blacklistCVE-2026-42551: Arbitrary File Write Via Upload Movecve-2026-42551-arbitrary-file-write-via-upload-moveCVE-2026-42552: Insecure File Move Uploaded Filecve-2026-42552-insecure-file-move-uploaded-fileCVE-2026-42569: Phpvms Laravel Importer Route Group Missing Authcve-2026-42569-phpvms-laravel-importer-route-group-missing-authCVE-2026-42605: Php Flysystem Local Adapter Path Not Normalizedcve-2026-42605-php-flysystem-local-adapter-path-not-normalizedCVE-2026-44167: Phpseclib Asn1 Oid Length Bypasscve-2026-44167-phpseclib-asn1-oid-length-bypassCVE-2026-45055: Php Unsanitized Request Loop Interpolationcve-2026-45055-php-unsanitized-request-loop-interpolationCVE-2026-45332: Php Missing Totp Checkcve-2026-45332-php-missing-totp-checkCVE-2026-4809: Laravel Mediable Prefer Client Mime Typecve-2026-4809-laravel-mediable-prefer-client-mime-typeCVE-2026-6409: Php Missing Negative Size Check In Buffer Readcve-2026-6409-php-missing-negative-size-check-in-buffer-readCVE-2026-8181: Wp Authenticate Application Password Iswperror Only Checkcve-2026-8181-wp-authenticate-application-password-iswperror-only-checkCVE-2026-8209: Php Path Traversal Blacklist Str Replacecve-2026-8209-php-path-traversal-blacklist-str-replace