{"id":"CVE-2024-8926","details":"In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.","aliases":["BIT-libphp-2024-8926","BIT-php-2024-8926","BIT-php-min-2024-8926","GHSA-p99j-rfp4-xqvq"],"modified":"2026-04-10T05:20:07.241926Z","published":"2024-10-08T04:15:10.637Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241101-0003/"},{"type":"EVIDENCE","url":"https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115"},{"fixed":"773c0eda4ac8181c59a6510a39c37710679277a4"},{"introduced":"70ee6c20ad97e02c2b8098aeea96fefbbc3ac5c2"},{"fixed":"12ccdff196cd927b2c3e9c04abad3c4117b5bd42"},{"introduced":"d26068059e83fe40de3430a512471d194119bee0"},{"fixed":"b4ecd9aa2edfdff932deb9c09105a9cb3445c3bc"}],"database_specific":{"versions":[{"introduced":"8.1.0"},{"fixed":"8.1.30"},{"introduced":"8.2.0"},{"fixed":"8.2.24"},{"introduced":"8.3.0"},{"fixed":"8.3.12"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8926.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}