All versions of PHP 8.0 below 8.0.20 are vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626 which was patched in PHP 8.0.20 on Jun 9, three weeks ago. OpenBSD 7.0 repo still offers remotely exploitable PHP 8.0.17.
- [php 8.0] obsd 7.0 provides vulnerable php 8.0.17 stolen data
- Re: [php 8.0] obsd 7.0 provides vulnerable php 8.0.1... Stuart Henderson
