VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-d1kp-7aht-9qa2

Essentials
Severities (21)
References (14)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-d1kp-7aht-9qa2
Aliases	CVE-2015-2308 GHSA-5c58-w9xc-qcj9
Summary	Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-94	Improper Control of Generation of Code ('Code Injection')

System	Score	Found at
generic_textual	MODERATE	http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
generic_textual	MODERATE	http://jvn.jp/en/jp/JVN19578958/index.html
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
epss	0.00543	https://api.first.org/data/v1/epss?cve=CVE-2015-2308
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-5c58-w9xc-qcj9
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yaml
generic_textual	MODERATE	https://github.com/symfony/symfony
generic_textual	MODERATE	https://github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056a
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2015-2308
generic_textual	MODERATE	https://symfony.com/blog/cve-2015-2308-esi-code-injection
generic_textual	MODERATE	https://symfony.com/cve-2015-2308
generic_textual	MODERATE	https://web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357

Reference id	Reference type	URL
		http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
		http://jvn.jp/en/jp/JVN19578958/index.html
		https://api.first.org/data/v1/epss?cve=CVE-2015-2308
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2308
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yaml
		https://github.com/symfony/symfony
		https://github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056a
		https://nvd.nist.gov/vuln/detail/CVE-2015-2308
		https://symfony.com/blog/cve-2015-2308-esi-code-injection
		https://symfony.com/cve-2015-2308
		https://web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357
CVE-2015-2308-ESI-CODE-INJECTION		http://symfony.com/blog/cve-2015-2308-esi-code-injection
GHSA-5c58-w9xc-qcj9		https://github.com/advisories/GHSA-5c58-w9xc-qcj9

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.67645
EPSS Score	0.00543
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:46:57.595762+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2015-2308.yml	38.0.0