CVE-2015-10141

216.73.217.22

· Published 23/07/2025 14:15 · Modified 23/07/2025 14:15

Labels: CVE-2015-10141 2025-07-23 CVE-2015-10141 CWE-78 [email protected]

Essential information

Published: 23/07/2025 14:15
Modified: 23/07/2025 14:15
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
derick rethans / xdebug	`cpe:2.3:a:derick_rethans:xdebug:2.5.5:::::::*`
derick rethans / xdebug	`cpe:2.3:a:derick_rethans:xdebug:<2.5.5:::::::*`