CVE-2015-5161

Exp

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Published: 2015-08-25 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2015-5161 is rated High Exploit Risk (81.3/100): CVSS Medium severity, with high exploitation likelihood (EPSS 39.09%, 97th percentile). 7 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +6.32% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2015-5161

EDB-ID Source Kind Published Link
38573 exploit_db edb 2015-10-30 Exploit-DB ↗
37765 exploit_db edb 2015-08-13 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2015-5161

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-10 32.78% 39.09% +6.32%
2 2026-01-16 40.83% 32.78% -8.05%
3 2025-12-01 40.83%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-5161

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 6.4 [email protected]

Weakness enumeration for CVE-2015-5161

GitHub Security Advisory for CVE-2015-5161

GHSA-xp8p-9rq5-4wgv · Severity: medium · Ecosystem: composer — ZendXml and Zend Framework contain XXE and XEE Vulnerabilities

OS Trackers for CVE-2015-5161

vendor priority summary link
ubuntu medium CVE-2015-5161 medium priority: Ubuntu including 1 source packages (php-zend-xml), 5 status rows across 5 suites (precise, trusty, upstream, vivid, wily): DNE 3, ignored 1, needs-triage 1. https://ubuntu.com/security/CVE-2015-5161

NVD evaluator notes for CVE-2015-5161

Comment: <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Affected software / configurations for CVE-2015-5161

Vendor Product Version Raw CPE
zend zend_framework 1.0.0 cpe:2.3:a:zend:zend_framework:1.0.0:*:*:*:*:*:*:*
zend zend_framework 1.0.0 cpe:2.3:a:zend:zend_framework:1.0.0:rc1:*:*:*:*:*:*
zend zend_framework 1.0.0 cpe:2.3:a:zend:zend_framework:1.0.0:rc2:*:*:*:*:*:*
zend zend_framework 1.0.0 cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:*:*:*:*:*:*
zend zend_framework 1.0.0 cpe:2.3:a:zend:zend_framework:1.0.0:rc3:*:*:*:*:*:*
zend zend_framework 1.0.1 cpe:2.3:a:zend:zend_framework:1.0.1:*:*:*:*:*:*:*
zend zend_framework 1.0.2 cpe:2.3:a:zend:zend_framework:1.0.2:*:*:*:*:*:*:*
zend zend_framework 1.0.3 cpe:2.3:a:zend:zend_framework:1.0.3:*:*:*:*:*:*:*
zend zend_framework 1.0.4 cpe:2.3:a:zend:zend_framework:1.0.4:*:*:*:*:*:*:*
zend zend_framework 1.5.0 cpe:2.3:a:zend:zend_framework:1.5.0:rc1:*:*:*:*:*:*
zend zend_framework 1.5.0 cpe:2.3:a:zend:zend_framework:1.5.0:rc2:*:*:*:*:*:*
zend zend_framework 1.5.0 cpe:2.3:a:zend:zend_framework:1.5.0:rc3:*:*:*:*:*:*
zend zend_framework 1.5.1 cpe:2.3:a:zend:zend_framework:1.5.1:*:*:*:*:*:*:*
zend zend_framework 1.5.2 cpe:2.3:a:zend:zend_framework:1.5.2:*:*:*:*:*:*:*
zend zend_framework 1.5.3 cpe:2.3:a:zend:zend_framework:1.5.3:*:*:*:*:*:*:*
zend zend_framework 1.6.0 cpe:2.3:a:zend:zend_framework:1.6.0:*:*:*:*:*:*:*
zend zend_framework 1.6.0 cpe:2.3:a:zend:zend_framework:1.6.0:rc1:*:*:*:*:*:*
zend zend_framework 1.6.0 cpe:2.3:a:zend:zend_framework:1.6.0:rc2:*:*:*:*:*:*
zend zend_framework 1.6.0 cpe:2.3:a:zend:zend_framework:1.6.0:rc3:*:*:*:*:*:*
zend zend_framework 1.6.1 cpe:2.3:a:zend:zend_framework:1.6.1:*:*:*:*:*:*:*
zend zend_framework 1.6.2 cpe:2.3:a:zend:zend_framework:1.6.2:*:*:*:*:*:*:*
zend zend_framework 1.7.0 cpe:2.3:a:zend:zend_framework:1.7.0:*:*:*:*:*:*:*
zend zend_framework 1.7.0 cpe:2.3:a:zend:zend_framework:1.7.0:pl1:*:*:*:*:*:*
zend zend_framework 1.7.0 cpe:2.3:a:zend:zend_framework:1.7.0:pr:*:*:*:*:*:*
zend zend_framework 1.7.1 cpe:2.3:a:zend:zend_framework:1.7.1:*:*:*:*:*:*:*
zend zend_framework 1.7.2 cpe:2.3:a:zend:zend_framework:1.7.2:*:*:*:*:*:*:*
zend zend_framework 1.7.3 cpe:2.3:a:zend:zend_framework:1.7.3:*:*:*:*:*:*:*
zend zend_framework 1.7.3 cpe:2.3:a:zend:zend_framework:1.7.3:pl1:*:*:*:*:*:*
zend zend_framework 1.7.4 cpe:2.3:a:zend:zend_framework:1.7.4:*:*:*:*:*:*:*
zend zend_framework 1.7.5 cpe:2.3:a:zend:zend_framework:1.7.5:*:*:*:*:*:*:*
zend zend_framework 1.7.6 cpe:2.3:a:zend:zend_framework:1.7.6:*:*:*:*:*:*:*
zend zend_framework 1.7.7 cpe:2.3:a:zend:zend_framework:1.7.7:*:*:*:*:*:*:*
zend zend_framework 1.7.8 cpe:2.3:a:zend:zend_framework:1.7.8:*:*:*:*:*:*:*
zend zend_framework 1.7.9 cpe:2.3:a:zend:zend_framework:1.7.9:*:*:*:*:*:*:*
zend zend_framework 1.8.0 cpe:2.3:a:zend:zend_framework:1.8.0:*:*:*:*:*:*:*
zend zend_framework 1.8.0 cpe:2.3:a:zend:zend_framework:1.8.0:a1:*:*:*:*:*:*
zend zend_framework 1.8.0 cpe:2.3:a:zend:zend_framework:1.8.0:b1:*:*:*:*:*:*
zend zend_framework 1.8.1 cpe:2.3:a:zend:zend_framework:1.8.1:*:*:*:*:*:*:*
zend zend_framework 1.8.2 cpe:2.3:a:zend:zend_framework:1.8.2:*:*:*:*:*:*:*
zend zend_framework 1.8.3 cpe:2.3:a:zend:zend_framework:1.8.3:*:*:*:*:*:*:*
zend zend_framework 1.8.4 cpe:2.3:a:zend:zend_framework:1.8.4:*:*:*:*:*:*:*
zend zend_framework 1.8.4 cpe:2.3:a:zend:zend_framework:1.8.4:pl1:*:*:*:*:*:*
zend zend_framework 1.8.5 cpe:2.3:a:zend:zend_framework:1.8.5:*:*:*:*:*:*:*
zend zend_framework 1.9.0 cpe:2.3:a:zend:zend_framework:1.9.0:*:*:*:*:*:*:*
zend zend_framework 1.9.0 cpe:2.3:a:zend:zend_framework:1.9.0:a1:*:*:*:*:*:*
zend zend_framework 1.9.0 cpe:2.3:a:zend:zend_framework:1.9.0:b1:*:*:*:*:*:*
zend zend_framework 1.9.0 cpe:2.3:a:zend:zend_framework:1.9.0:rc1:*:*:*:*:*:*
zend zend_framework 1.9.1 cpe:2.3:a:zend:zend_framework:1.9.1:*:*:*:*:*:*:*
zend zend_framework 1.9.2 cpe:2.3:a:zend:zend_framework:1.9.2:*:*:*:*:*:*:*
zend zend_framework 1.9.3 cpe:2.3:a:zend:zend_framework:1.9.3:*:*:*:*:*:*:*
zend zend_framework 1.9.3 cpe:2.3:a:zend:zend_framework:1.9.3:pl1:*:*:*:*:*:*
zend zend_framework 1.9.4 cpe:2.3:a:zend:zend_framework:1.9.4:*:*:*:*:*:*:*
zend zend_framework 1.9.5 cpe:2.3:a:zend:zend_framework:1.9.5:*:*:*:*:*:*:*
zend zend_framework 1.9.6 cpe:2.3:a:zend:zend_framework:1.9.6:*:*:*:*:*:*:*
zend zend_framework 1.9.7 cpe:2.3:a:zend:zend_framework:1.9.7:*:*:*:*:*:*:*
zend zend_framework 1.9.8 cpe:2.3:a:zend:zend_framework:1.9.8:*:*:*:*:*:*:*
zend zend_framework 1.10.0 cpe:2.3:a:zend:zend_framework:1.10.0:*:*:*:*:*:*:*
zend zend_framework 1.10.0 cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:*:*:*:*:*:*
zend zend_framework 1.10.0 cpe:2.3:a:zend:zend_framework:1.10.0:beta1:*:*:*:*:*:*
zend zend_framework 1.10.0 cpe:2.3:a:zend:zend_framework:1.10.0:rc1:*:*:*:*:*:*
zend zend_framework 1.10.1 cpe:2.3:a:zend:zend_framework:1.10.1:*:*:*:*:*:*:*
zend zend_framework 1.10.2 cpe:2.3:a:zend:zend_framework:1.10.2:*:*:*:*:*:*:*
zend zend_framework 1.10.3 cpe:2.3:a:zend:zend_framework:1.10.3:*:*:*:*:*:*:*
zend zend_framework 1.10.4 cpe:2.3:a:zend:zend_framework:1.10.4:*:*:*:*:*:*:*
zend zend_framework 1.10.5 cpe:2.3:a:zend:zend_framework:1.10.5:*:*:*:*:*:*:*
zend zend_framework 1.10.6 cpe:2.3:a:zend:zend_framework:1.10.6:*:*:*:*:*:*:*
zend zend_framework 1.10.7 cpe:2.3:a:zend:zend_framework:1.10.7:*:*:*:*:*:*:*
zend zend_framework 1.10.8 cpe:2.3:a:zend:zend_framework:1.10.8:*:*:*:*:*:*:*
zend zend_framework 1.10.9 cpe:2.3:a:zend:zend_framework:1.10.9:*:*:*:*:*:*:*
zend zend_framework 1.11.0 cpe:2.3:a:zend:zend_framework:1.11.0:*:*:*:*:*:*:*
zend zend_framework 1.11.0 cpe:2.3:a:zend:zend_framework:1.11.0:b1:*:*:*:*:*:*
zend zend_framework 1.11.0 cpe:2.3:a:zend:zend_framework:1.11.0:rc1:*:*:*:*:*:*
zend zend_framework 1.11.1 cpe:2.3:a:zend:zend_framework:1.11.1:*:*:*:*:*:*:*
zend zend_framework 1.11.2 cpe:2.3:a:zend:zend_framework:1.11.2:*:*:*:*:*:*:*
zend zend_framework 1.11.3 cpe:2.3:a:zend:zend_framework:1.11.3:*:*:*:*:*:*:*
zend zend_framework 1.11.4 cpe:2.3:a:zend:zend_framework:1.11.4:*:*:*:*:*:*:*
zend zend_framework 1.11.5 cpe:2.3:a:zend:zend_framework:1.11.5:*:*:*:*:*:*:*
zend zend_framework 1.11.6 cpe:2.3:a:zend:zend_framework:1.11.6:*:*:*:*:*:*:*
zend zend_framework 1.11.7 cpe:2.3:a:zend:zend_framework:1.11.7:*:*:*:*:*:*:*
zend zend_framework 1.11.8 cpe:2.3:a:zend:zend_framework:1.11.8:*:*:*:*:*:*:*

References for CVE-2015-5161

cvelogic Threat Intelligence