CVE-2015-5161

Name: CVE-2015-5161
Creator: NVD / NIST
Published: 2015-08-25T17:59:03.307+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 9.91%

Last modified Jun 17, 2026

CVE-2015-5161 is a vulnerability of currently unknown severity. The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.. EPSS estimates a 9.91% chance of exploitation in the next 30 days.

Description

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Metrics

EPSS Probability

9.91%

95.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Zend	Zend Framework	1.0.0	—
Zend	Zend Framework	1.0.1	—
Zend	Zend Framework	1.0.2	—
Zend	Zend Framework	1.0.3	—
Zend	Zend Framework	1.0.4	—
Zend	Zend Framework	1.5.0	Rc1
Zend	Zend Framework	1.5.1	—
Zend	Zend Framework	1.5.2	—
Zend	Zend Framework	1.5.3	—
Zend	Zend Framework	1.6.0	—
Zend	Zend Framework	1.6.1	—
Zend	Zend Framework	1.6.2	—
Zend	Zend Framework	1.7.0	—
Zend	Zend Framework	1.7.1	—
Zend	Zend Framework	1.7.2	—
Zend	Zend Framework	1.7.3	—
Zend	Zend Framework	1.7.4	—
Zend	Zend Framework	1.7.5	—
Zend	Zend Framework	1.7.6	—
Zend	Zend Framework	1.7.7	—
Zend	Zend Framework	1.7.8	—
Zend	Zend Framework	1.7.9	—
Zend	Zend Framework	1.8.0	—
Zend	Zend Framework	1.8.1	—
Zend	Zend Framework	1.8.2	—
Zend	Zend Framework	1.8.3	—
Zend	Zend Framework	1.8.4	—
Zend	Zend Framework	1.8.5	—
Zend	Zend Framework	1.9.0	—
Zend	Zend Framework	1.9.1	—
Zend	Zend Framework	1.9.2	—
Zend	Zend Framework	1.9.3	—
Zend	Zend Framework	1.9.4	—
Zend	Zend Framework	1.9.5	—
Zend	Zend Framework	1.9.6	—
Zend	Zend Framework	1.9.7	—
Zend	Zend Framework	1.9.8	—
Zend	Zend Framework	1.10.0	—
Zend	Zend Framework	1.10.1	—
Zend	Zend Framework	1.10.2	—
Zend	Zend Framework	1.10.3	—
Zend	Zend Framework	1.10.4	—
Zend	Zend Framework	1.10.5	—
Zend	Zend Framework	1.10.6	—
Zend	Zend Framework	1.10.7	—
Zend	Zend Framework	1.10.8	—
Zend	Zend Framework	1.10.9	—
Zend	Zend Framework	1.11.0	—
Zend	Zend Framework	1.11.1	—
Zend	Zend Framework	1.11.2	—

Showing 50 of 119 affected configurations. See NVD for the full list.

References

Timeline

Published: Aug 25, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-5161?

How severe is CVE-2015-5161?

Severity scoring for CVE-2015-5161 is pending analysis. The EPSS model estimates a 9.91% probability of exploitation in the next 30 days.

How do I fix CVE-2015-5161?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-5161?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST