CVE-2026-35178: Php Create Function Code Injection
Use of PHP's create_function() compiles its second argument via internal eval(). When any value that flows into the body string originates from request data (cookies, query parameters, headers, or config values overrideable by the client), this becomes a code-injection / RCE primitive (CWE-94). Replace create_function() with an anonymous closure (function(..
greprules fetch cve-2026-35178-php-create-function-code-injection --engine opengrepDescription
Use of PHP's create_function() compiles its second argument via internal eval(). When any value that flows into the body string originates from request data (cookies, query parameters, headers, or config values overrideable by the client), this becomes a code-injection / RCE primitive (CWE-94). Replace create_function() with an anonymous closure (function(..
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.