Popular websites and services were at risk prior to the patching of these vulnerabilities
Positive Technologies experts enhance PHP security
PT SWARM experts Alexey Solovev and Nikita Sveshnikov have discovered and helped patch two vulnerabilities in PHP database components. PHP is a widely used open‑source programming language employed for web development and process automation, including database migration and version control via package managers. If successfully exploited, these flaws could allow an attacker to execute SQL injection1 or cause a denial‑of‑service (DoS) condition in any PHP‑based system using the vulnerable elements. The PHP development team was notified of the threats under a responsible disclosure policy and has since released updates patching the extension and the driver.
PHP is the 12th most popular programming language globally. As of summer 2026, GitHub hosts 5.2 million PHP projects. PHP is used to build the architecture of popular marketplaces, e‑commerce platforms like Magento2, as well as learning management systems (LMS) and content management systems (CMS). In fact, most websites run on CMS platforms like WordPress and Drupal. During threat intelligence, Positive Technologies experts identified approximately 1.8 million potentially vulnerable PHP‑based resources in Russia alone.
1 An attack tactic that allows an attacker to interfere with the queries that an application sends to its database.
The vulnerability PT-2025-525992 (CVE-2025-14180) carries a CVSS 3.1 score of 7.5 out of 10. This vulnerability was found in the PHP Data Objects (PDO) extension, which provides developers with a unified interface for database access, specifically when interacting with PostgreSQL databases. The vulnerability PT-2026-39443 (CVE-2025-14179) was assigned a score of 9.8, indicating a critical severity level. This bug was located in pdo_firebird, a PDO driver required to connect PHP applications to the widely used Firebird database management system.
These vulnerabilities put any software using PHP to interact with Firebird or PostgreSQL databases at risk. According to a Stack Overflow survey, PostgreSQL was the most widely used database management system in the world in 2025. A potential outage could undermine user trust in the service, while recovery efforts would require significant time and financial resources.
By successfully exploiting PT-2026-39443, a threat actor could inject arbitrary SQL code during the preparation of SQL queries. The attack was made possible by the improper handling of the NUL byte (\x00). This action drops the closing quote, causing subsequent SQL tokens to be interpreted as part of the string.
The resulting malicious SQL query could allow an attacker to perform destructive database operations, depending on the specific action the DBMS was executing. These actions may range from reading confidential tables to fully modifying or deleting them. The ultimate impact would depend on the architecture of the compromised system, potentially leading to the takeover of the administrator panel, privilege escalation, or the compromise of personal data. Once in control of the administrator panel, an attacker could abuse legitimate features, such as the upload of executable files, or other web application vulnerabilities to execute arbitrary code on the server, gaining full control over the infrastructure.
The vulnerability PT-2025-52599 could allow an attacker to crash the interpreter by submitting malformed data, such as invalid characters. Prior to the patch, this flaw could be exploited if emulated prepared statements were enabled in the pdo_pgsql driver, which handles PostgreSQL interactions. In this mode, the SQL template and its parameters are bound on the PHP side rather than by the database itself. Because the crash occurs at the core system level, standard mechanisms like try‑catch are useless. In complex distributed systems or business workflows without end‑to‑end transactions, the sudden death of a process at a critical stage leads to data desynchronization: one part of an operation (like sending a request to an external system) might complete, but the subsequent code to process the response never runs.
2 The security vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
In simple terms, a successful attack exploiting this vulnerability would kill the PHP process at the OS level right in the middle of writing data. An attacker could input malformed special characters into a text field, such as a delivery address. When the website attempted to process and save this data to the PostgreSQL database, PHP's internal mechanism would break, prompting the operating system to instantly terminate the process.3 This would cause data desynchronization: a customer's payment could be deducted, but the service would fail to create the order record, generate invoices, or send the item to the warehouse for delivery.
3 Due to the runtime crash, none of the security algorithms or error checks built into the code could trigger.
"A vulnerability in a programming language poses a far greater threat than a flaw in a product. Due to these security gaps in PHP, millions of systems worldwide could have been at risk—from public web resources to internal automation scripts and server utilities. What makes this research unique is that the flaws were found in the PDO extension and the pdo_firebird driver—a fundamental mechanism designed specifically to prevent SQL injection. This explains why such bugs are extremely difficult to detect: static application security testing (SAST) tools only scan the high-level application code and its dependencies, provided the source code is available. In this scenario, the developers' source code was clean and legitimate, making the interpreter‑level vulnerability PT-2025-52599 invisible to standard security tools."
To mitigate the vulnerabilities, PHP users must upgrade to the latest version. Alternatively, to patch PT-2025-52599, users should download PHP versions 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 (or later). To patch PT-2026-39443, users should update to versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 (or later).
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.