Detections
Analytics
SCA: security update for php-standard-library/h2, php-standard-library/php-standard-library (GHSA-pw9p-jvrm-f7rm)
high Tenable Self-Hosted Container Security Plugin ID 444076
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography,
terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that
the total bytes received in DATA frames match the content-length header declared in the HEADERS frame,
allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send
more DATA bytes than declared, smuggling additional content past application-level size limits and send
fewer DATA bytes than declared and close the stream early, causing applications that trust the declared
length to behave incorrectly. The vulnerability is only reachable for consumers using
Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level
PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1. (CVE-2026-48979)
Solution
Update the php-standard-library/h2 library and its related packages to version 6.1.2 or later.See Also
Plugin Details
Severity: High
ID: 444076
Version: Revision 1.1
Type: Local
Family: SCA Checks
Published: 6/27/2026
Updated: 6/27/2026
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
Vendor
Vendor Severity: High
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N
CVSS Score Source: CVE-2026-48979
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 6/26/2026
Vulnerability Publication Date: 6/17/2026
Reference Information
CVE: CVE-2026-48979
cwe: CWE-444