In various PHP versions, including 8.1.* before 8.1.28, 8.2.* before 8.2.18, and 8.3.* before 8.3.5, there is a vulnerability when using the proc_open() command with array syntax due to insufficient escaping. If a malicious user controls the arguments of the executed command, they can supply arguments that execute arbitrary commands in the Windows shell. Additionally, the fix for CVE-2024-1874 in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 is ineffective if the command name includes trailing spaces. Furthermore, when using Apache and PHP-CGI on Windows in these same PHP versions, certain code pages might cause Windows to use “Best-Fit” behavior, which can lead to the PHP CGI module misinterpreting characters as PHP options. This misinterpretation could allow a malicious user to pass options to the PHP binary, potentially exposing script source code or running arbitrary PHP code on the server. Lastly, due to a code logic error in these PHP versions, the ‘ filter_var ‘ function when validating URLs (FILTER_VALIDATE_URL) might incorrectly accept invalid user information as valid, leading to downstream code accepting and parsing these invalid URLs incorrectly.