vulnerability

Debian: CVE-2015-8866: php5 - security update

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

May 21, 2016

Added

Mar 31, 2017

Modified

Mar 30, 2026

Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Solution

debian-upgrade-php5

References

CWE-611
DEBIAN-DLA-499-1
EUVD-EUVD-2015-8722
NVD-CVE-2015-8866
https://euvd.enisa.europa.eu/vulnerability/EUVD-2015-8722

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report