Vulnerability Charts

Last modified:

All information is derived from CVEDetails.com unless otherwise stated. CVSS values listed are those of the highest scoring CVEs for any listed version. The highest possible score is 10.0, indicating that a version is considered to be ❌ extremely unsafe. The lowest possible score is 0.0, indicating that a version is currently considered to be ✔️ safe.

There may also be additional considerations as to whether a version should be considered ✔️ safe or ❌ unsafe, such as whether the version is still being actively supported, whether it is appropriate to use in production environments, etc. As such, versions will also be marked as either ✔️ safe, ❌ unsafe, or as ➖ in development (versions marked as in development may be safe, but aren't yet considered to be ready for a production environment).

Please note that a ✔️ safe designation does NOT mean that the designated versions are free from bugs and errors! When a new "patch release" becomes available, in general, these patch releases rectify various problems, bugs and so forth which could be encountered when using outdated versions from prior to the particular patch release. As such, using the latest version for any particular branch is always advised in favour of using older, outdated versions.

If you find any errors, would like to add to the list or make some changes, please send a pull request to the GitHub repository for this page.
Licensing (for this repository): MIT License (feel free to copy and adapt it if you want).


CVSS Safe? Notes
PHP versions PHP 7.3.11 – 7.4.4
(2019.10.24 – 2020.03.19)
0.0 ✔️ (7.4.4 is the current latest version on the 7.4 branch).
(7.3.16 is the current latest version on the 7.3 branch).

Note: 7.4.0 should generally be considered ❌ unsafe in the context
of PHP applications, scripts, etc that make use of streams, due to a
streams bug which could potentially affect them in a critical way.
However, as that doesn't concern security, it is designated here as ✔️ safe.
The problem affects just that specific version (so, 7.4.1 and
onward are perfectly okay in that regard).
PHP 7.3.8 – 7.3.10
(2019.08.01 – 2019.09.26)
5.9~7.5 See: CVE-2019-11043
PHP 7.3.3 – 7.3.7
(2019.03.07 – 2019.07.04)
6.8~8.8
PHP 7.3.0 – 7.3.2
(2018.12.06 – 2019.02.07)
7.5~9.8
PHP 7.2.24 – 7.2.29
(2019.10.24 – 2020.03.19)
7.5 (7.2.29 is the current latest version on the 7.2 branch).
Should theoretically be ✔️ safe if not using mbstring or any multibyte functionality at all.
PHP 7.2.21 – 7.2.23
(2019.04.01 – 2019.09.26)
5.9~7.5 See: CVE-2019-11043
PHP 7.2.16 – 7.2.20
(2019.03.07 – 2019.07.04)
6.8~8.8
PHP 7.2.0 – 7.2.15
(2017.11.30 – 2019.02.07)
7.5~9.8
PHP 7.1.33
(2019.10.24)
0.6 ✔️ (7.1.33 is the current latest version on the 7.1 branch).
Anything earlier than this version should be considered ❌ unsafe.
PHP 7.1.31 – 7.1.32
(2019.08.01 – 2019.08.21)
5.9~7.5 See: CVE-2019-11043
PHP 7.1.28 – 7.1.30
(2019.04.04 – 2019.05.30)
6.8~8.8
PHP 7.0.8 – 7.1.27
(2016.06.23 – 2019.03.07)
7.5~9.8 (7.0.33 is the current latest version on the 7.0 branch).
PHP 7.0.0 – 7.0.7
(2015.12.03 – 2016.05.06)
10.0
PHP < 7 7.5~10.0 See: CVE-2018-17082, CVE-2019-9641
– CVE/CVSS is disputed.
– CVE/CVSS relates to third-party depedencies or bundled items not managed by the package's maintainers.