CWE-616: Incomplete Identification of Uploaded File Variables (PHP)
low-riskThe PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
Abstraction: Variant
Common Consequences
Confidentiality
→
Read Files or Directories
Real-World Examples (9)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-31601 | 9.8 | 0.2% | — |
| CVE-2023-38947 | 7.2 | 0.2% | — |
| CVE-2024-52305 | 6.5 | 0.1% | — |
| CVE-2024-29858 | 9.8 | 0.1% | — |
| CVE-2025-67084 | 9.9 | 0.1% | — |
| CVE-2024-28520 | 6.5 | 0.1% | — |
| CVE-2026-22789 | 5.4 | 0.0% | — |
| CVE-2025-52130 | 5.4 | 0.0% | — |
| CVE-2025-59402 | 5.4 | 0.0% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal