VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-32vp-nn7p-6ubz

Essentials
Severities (20)
References (24)
Severity details (19)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-32vp-nn7p-6ubz
Aliases	CVE-2015-5161 GHSA-xp8p-9rq5-4wgv
Summary	XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.
Status	Published
Exploitability	0.5
Weighted Severity	0.4
Risk	0.2
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-611	Improper Restriction of XML External Entity Reference
CWE-776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

System	Score	Found at
generic_textual	MODERATE	http://framework.zend.com/security/advisory/ZF2015-06
generic_textual	MODERATE	http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
generic_textual	MODERATE	http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
epss	0.39093	https://api.first.org/data/v1/epss?cve=CVE-2015-5161
generic_textual	MODERATE	http://seclists.org/fulldisclosure/2015/Aug/46
generic_textual	MODERATE	https://framework.zend.com/security/advisory/ZF2015-06
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml
generic_textual	MODERATE	https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532
generic_textual	MODERATE	https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b
generic_textual	MODERATE	https://github.com/zendframework/zf1/issues/393
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2015-5161
generic_textual	MODERATE	https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177
generic_textual	MODERATE	https://www.exploit-db.com/exploits/37765
generic_textual	MODERATE	http://www.debian.org/security/2015/dsa-3340
generic_textual	MODERATE	http://www.securityfocus.com/bid/76177

Reference id	Reference type	URL
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
		http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html
		http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html
		https://api.first.org/data/v1/epss?cve=CVE-2015-5161
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
		http://seclists.org/fulldisclosure/2015/Aug/46
		https://framework.zend.com/security/advisory/ZF2015-06
		https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml
		https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532
		https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b
		https://github.com/zendframework/zf1/issues/393
		https://nvd.nist.gov/vuln/detail/CVE-2015-5161
		https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177
		https://www.exploit-db.com/exploits/37765
		http://www.debian.org/security/2015/dsa-3340
		http://www.securityfocus.com/bid/76177
CVE-2015-5161	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/37765.txt
CVE-2015-5161;OSVDB-125783	Exploit	http://framework.zend.com/security/advisory/ZF2015-06
CVE-2015-5161;OSVDB-125783	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/38573.txt

Data source	Exploit-DB
Date added	Oct. 30, 2015
Description	eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection
Ransomware campaign use	Unknown
Source publication date	Oct. 30, 2015
Exploit type	webapps
Platform	php
Source update date	Oct. 30, 2015
Source URL	http://framework.zend.com/security/advisory/ZF2015-06

Exploit Prediction Scoring System (EPSS)

Percentile	0.97347
EPSS Score	0.39093
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:52:17.053285+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zendframework1/CVE-2015-5161.yml	38.6.0