CVE-2015-8866

CRITICAL

9.6

CVSS Severity Score

EPSS Score0.0570%

EPSS Percentile24.43th

PublishedMay 22, 2016

Last ModifiedMay 6, 2026

Vulnerability Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Affected Platforms (CPE)

📦

Php

>= 5.5.0 and < 5.5.22

📦

Php

>= 5.6.0 and < 5.6.6

📦

Php

>= 7.0.0 and < 7.0.27

📦

Php

>= 7.1.0 and < 7.1.13

📦

Php

>= 7.2.0 and < 7.2.1

💻

Canonical

Ubuntu Linux

= 12.04

💻

Canonical

Ubuntu Linux

= 14.04

💻

Canonical

Ubuntu Linux

= 15.10

💻

Opensuse

Leap

= 42.1

💻

Opensuse

= 13.2

💻

Suse

Linux Enterprise Module For Web Scripting

= 12

💻

Suse

Linux Enterprise Software Development Kit

= 12

💻

Suse

Linux Enterprise Software Development Kit

= 12

References & Advisories

🔗 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html

🔗 http://rhn.redhat.com/errata/RHSA-2016-2750.html

🔗 http://www.openwall.com/lists/oss-security/2016/04/24/1

🔗 http://www.php.net/ChangeLog-5.php

🔗 http://www.securityfocus.com/bid/87470

Vulnerability Description

Affected Platforms (CPE)

Php

Php

Php

Php

Php

Ubuntu Linux

Ubuntu Linux

Ubuntu Linux

Leap

Opensuse

Linux Enterprise Module For Web Scripting

Linux Enterprise Software Development Kit

Linux Enterprise Software Development Kit

References & Advisories

Related Vulnerabilities