Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/zendframework/zendframework@2.2.3
purl pkg:composer/zendframework/zendframework@2.2.3
Next non-vulnerable version 2.5.2
Latest non-vulnerable version 2.5.2
Risk 10.0
Vulnerabilities affecting this package (14)
Vulnerability Summary Fixed by
VCID-2g8z-51nu-17hs
Aliases:
ZF2015-01
Session Fixation Session validation vulnerability.
2.2.9
Affected by 8 other vulnerabilities.
2.3.4
Affected by 10 other vulnerabilities.
VCID-6xpr-93ef-27cu
Aliases:
CVE-2014-8088
GHSA-f6rc-rh43-h8gr
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend
dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
2.2.8
Affected by 9 other vulnerabilities.
2.3.3
Affected by 11 other vulnerabilities.
VCID-8atm-865q-mkf3
Aliases:
ZF2015-09
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`.
2.4.9
Affected by 2 other vulnerabilities.
2.5.0
Affected by 3 other vulnerabilities.
VCID-8fwb-56kb-jubf
Aliases:
CVE-2015-7503
GHSA-pm9m-w23q-5967
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.
2.4.9
Affected by 2 other vulnerabilities.
2.5.2
Affected by 0 other vulnerabilities.
VCID-9z4g-byhj-3fak
Aliases:
CVE-2015-0270
GHSA-v59p-p692-v382
SQL Injection Zend Framework has Potential SQL injection in PostgreSQL `Zend\Db` adapter.
2.2.10
Affected by 7 other vulnerabilities.
2.3.5
Affected by 9 other vulnerabilities.
VCID-eezd-92tv-mkdf
Aliases:
ZF2014-03
Cross-site Scripting Potential XSS vector in multiple view helpers.
2.2.7
Affected by 11 other vulnerabilities.
2.3.1
Affected by 13 other vulnerabilities.
VCID-grk8-aj34-hqb4
Aliases:
ZF2014-01
Improper Restriction of XML External Entity Reference Potential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`.
2.2.6
Affected by 11 other vulnerabilities.
VCID-nbuf-3vcw-mqg4
Aliases:
ZF2013-04
Information Exposure Potential Remote Address Spoofing Vector in `Zend\Http\PhpEnvironment\RemoteAddress`.
2.2.5
Affected by 13 other vulnerabilities.
VCID-njsg-e1w1-9qcy
Aliases:
CVE-2015-5161
GHSA-xp8p-9rq5-4wgv
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.
2.4.6
Affected by 6 other vulnerabilities.
2.5.2
Affected by 0 other vulnerabilities.
VCID-q74z-645k-c7dk
Aliases:
CVE-2015-5723
GHSA-pw5c-xqf2-6xc2
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of
2.4.8
Affected by 5 other vulnerabilities.
VCID-qs6q-pjks-euh4
Aliases:
ZF2016-04
Remote code execution in zend-mail via Sendmail adapter A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.
2.4.11
Affected by 1 other vulnerability.
2.5.0
Affected by 3 other vulnerabilities.
VCID-r5y8-nc2w-kqde
Aliases:
CVE-2014-8089
GHSA-qh9w-r7g5-q939
SQL Injection SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte.
2.2.8
Affected by 9 other vulnerabilities.
2.3.3
Affected by 11 other vulnerabilities.
VCID-vmut-b2y4-rkcp
Aliases:
GMS-2015-48
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.
2.4.9
Affected by 2 other vulnerabilities.
2.5.2
Affected by 0 other vulnerabilities.
VCID-wz4g-j8zt-ruff
Aliases:
ZF2018-01
URL Redirection to Untrusted Site (Open Redirect) URL Rewrite vulnerability.
2.5.0
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:27:18.835976+00:00 GitLab Importer Affected by VCID-r5y8-nc2w-kqde https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2014-8089.yml 38.6.0
2026-06-04T20:25:11.847211+00:00 GitLab Importer Affected by VCID-9z4g-byhj-3fak https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-0270.yml 38.6.0
2026-06-04T20:13:02.192363+00:00 GitLab Importer Affected by VCID-wz4g-j8zt-ruff https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2018-01.yml 38.6.0
2026-06-04T20:09:34.604344+00:00 GitLab Importer Affected by VCID-8fwb-56kb-jubf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-7503.yml 38.6.0
2026-06-04T20:06:52.870925+00:00 GitLab Importer Affected by VCID-qs6q-pjks-euh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2016-04.yml 38.6.0
2026-06-04T20:06:05.702749+00:00 GitLab Importer Affected by VCID-q74z-645k-c7dk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-5723.yml 38.6.0
2026-06-04T20:05:14.504399+00:00 GitLab Importer Affected by VCID-vmut-b2y4-rkcp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/GMS-2015-48.yml 38.6.0
2026-06-04T20:05:13.484283+00:00 GitLab Importer Affected by VCID-8atm-865q-mkf3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2015-09.yml 38.6.0
2026-06-04T20:05:01.203747+00:00 GitLab Importer Affected by VCID-njsg-e1w1-9qcy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2015-5161.yml 38.6.0
2026-06-04T20:04:38.230462+00:00 GitLab Importer Affected by VCID-2g8z-51nu-17hs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2015-01.yml 38.6.0
2026-06-04T20:04:31.424622+00:00 GitLab Importer Affected by VCID-6xpr-93ef-27cu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/CVE-2014-8088.yml 38.6.0
2026-06-04T20:04:01.533939+00:00 GitLab Importer Affected by VCID-eezd-92tv-mkdf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2014-03.yml 38.6.0
2026-06-04T20:04:00.308631+00:00 GitLab Importer Affected by VCID-grk8-aj34-hqb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2014-01.yml 38.6.0
2026-06-04T20:03:49.136667+00:00 GitLab Importer Affected by VCID-nbuf-3vcw-mqg4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework/ZF2013-04.yml 38.6.0