Cyber Resilience

CVE-2025-14179

HighUpdated

Published: 10 May 2026

Published
10 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber
EPSS Score 0.0030 21.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14179 is a high-severity SQL Injection (CWE-89) vulnerability in Php Php. Its CVSS base score is 7.4 (High).

Operationally, ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is…

more

copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

php
php
8.2.0 — 8.2.31 · 8.3.0 — 8.3.31 · 8.4.0 — 8.4.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References