Fix Critical PHP CVEs PHP
Fix CRITICAL and HIGH CVEs in PHP Composer packages. Paste composer.json and download a patched version — no login, no CLI.
⚠ The Problem
composer audit flags a critical CVE but doesn't output a fixed composer.json for download.
Bad Configuration — composer.json
{
"require": {
"phpmailer/phpmailer": "^6.5.0",
"intervention/image": "^2.7"
}
}
Fixed Configuration — composer.json
{
"require": {
"phpmailer/phpmailer": "^6.9.1",
"intervention/image": "^3.7"
}
}
✓ Fix
phpmailer/phpmailer 6.5.0 has known injection vulnerabilities. intervention/image 2.7 has XSS risk. Update to safe versions above. After updating, run composer install.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
Does CISA KEV include PHP packages?
Yes. Several Symfony and Laravel CVEs have appeared in CISA KEV. PackageFix checks the live catalog.
How do I fix a transitive PHP vulnerability?
Use composer's conflict key to prevent installation of vulnerable versions, or add the safe version directly to require. PackageFix generates the correct syntax.
What is Packagist OSV data?
OSV aggregates vulnerability data for PHP packages from the GitHub Advisory Database, FriendsOfPHP security advisories, and other sources.
How do I verify a PHP CVE fix?
After updating, run composer audit (Composer 2.4+). If the CVE ID is absent, the fix is applied.