{
  "affected": [
    {
      "database_specific": {
        "unresolved_ranges": [
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "5.19.0"
              }
            ]
          },
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "30"
              }
            ]
          },
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "31"
              }
            ]
          }
        ]
      },
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "7.2.0"
              },
              {
                "last_affected": "7.2.26"
              },
              {
                "introduced": "7.3.0"
              },
              {
                "last_affected": "7.3.13"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "7.4.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "8148cbb78841c8ec0759c0836e7f35dec799d300"
            },
            {
              "last_affected": "1df155af14c3b7473b628574eb46a7ce11caadfd"
            },
            {
              "introduced": "52ace952a1b65ca80fc2617f11c2fa6dd03f51bd"
            },
            {
              "last_affected": "a1457cf8b8b82516bf9561eb43972b63074fa9ae"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "3c7824e16ec4c3cee417262445d2c2b66531c10f"
            }
          ],
          "repo": "https://github.com/php/php-src",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.",
  "id": "CVE-2019-11044",
  "modified": "2026-03-13T21:53:59.491754488Z",
  "published": "2019-12-23T03:15:10.913Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
    },
    {
      "type": "ADVISORY",
      "url": "https://security.netapp.com/advisory/ntap-20200103-0002/"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.tenable.com/security/tns-2021-14"
    },
    {
      "type": "FIX",
      "url": "https://bugs.php.net/bug.php?id=78862"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}