CVE-2019-11043 — PHP FastCGI Process Manager (FPM)

known ransomware use

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

Added to KEV

2022-03-25

Federal due date

2022-04-15

Vendor

PHP

Product

FastCGI Process Manager (FPM)

EPSS

99.9th percentile (score 0.941, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2019-11043

CISA short description

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

Required action

Apply updates per vendor instructions.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.