Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rdg5-wdyd-xbdm
Vulnerability ID VCID-rdg5-wdyd-xbdm
Aliases CVE-2018-1000888
GHSA-3q76-jq6m-573p
Summary Deserialization of Untrusted Data There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-502 Deserialization of Untrusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000888.json
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
epss 0.29482 https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3q76-jq6m-573p
cvssv3.1 8.8 https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2018-1000888.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2018-1000888.yaml
cvssv3.1 8.8 https://github.com/pear/Archive_Tar
generic_textual HIGH https://github.com/pear/Archive_Tar
cvssv3.1 8.8 https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
generic_textual HIGH https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
cvssv3.1 8.8 https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
cvssv3 8.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
cvssv3.1 8.8 https://pear.php.net/bugs/bug.php?id=23782
generic_textual HIGH https://pear.php.net/bugs/bug.php?id=23782
cvssv3.1 8.8 https://security.gentoo.org/glsa/202006-14
generic_textual HIGH https://security.gentoo.org/glsa/202006-14
cvssv3.1 8.8 https://usn.ubuntu.com/3857-1
generic_textual HIGH https://usn.ubuntu.com/3857-1
cvssv3.1 8.8 https://web.archive.org/web/20210328115328/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
generic_textual HIGH https://web.archive.org/web/20210328115328/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
cvssv3.1 8.8 https://web.archive.org/web/20220524160841/https://blog.sonarsource.com/new-php-exploitation-technique?redirect=rips
generic_textual HIGH https://web.archive.org/web/20220524160841/https://blog.sonarsource.com/new-php-exploitation-technique?redirect=rips
cvssv3.1 8.8 https://www.debian.org/security/2019/dsa-4378
generic_textual HIGH https://www.debian.org/security/2019/dsa-4378
cvssv3.1 8.8 https://www.exploit-db.com/exploits/46108
generic_textual HIGH https://www.exploit-db.com/exploits/46108
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000888.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1000888
https://blog.ripstech.com/2018/new-php-exploitation-technique/
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888
https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2018-1000888.yaml
https://github.com/pear/Archive_Tar
https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
https://pear.php.net/bugs/bug.php?id=23782
https://pear.php.net/package/Archive_Tar/download/
https://security.gentoo.org/glsa/202006-14
https://usn.ubuntu.com/3857-1
https://web.archive.org/web/20210328115328/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
https://web.archive.org/web/20220524160841/https://blog.sonarsource.com/new-php-exploitation-technique?redirect=rips
https://www.debian.org/security/2019/dsa-4378
https://www.exploit-db.com/exploits/46108
https://www.exploit-db.com/exploits/46108/
1669615 https://bugzilla.redhat.com/show_bug.cgi?id=1669615
919147 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919147
cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2018-1000888 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46108.txt
GHSA-3q76-jq6m-573p https://github.com/advisories/GHSA-3q76-jq6m-573p
USN-3857-1 https://usn.ubuntu.com/3857-1/
Data source Exploit-DB
Date added Jan. 10, 2019
Description PEAR Archive_Tar < 1.4.4 - PHP Object Injection
Ransomware campaign use Unknown
Source publication date Jan. 10, 2019
Exploit type webapps
Platform php
Source update date Jan. 10, 2019
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000888.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2018-1000888.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pear/Archive_Tar
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://pear.php.net/bugs/bug.php?id=23782
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202006-14
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://usn.ubuntu.com/3857-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20210328115328/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20220524160841/https://blog.sonarsource.com/new-php-exploitation-technique?redirect=rips
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2019/dsa-4378
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46108
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.96575
EPSS Score 0.29482
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:12.872218+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pear/archive_tar/CVE-2018-1000888.yml 38.0.0