Improper url-decoding of cookie names can lead to "cookie confusion," allowing attackers to forge secure-prefixed cookies like CVE-2019-11043 Remote Code Execution A buffer underflow in env_path_info in PHP-FPM when paired with specific Nginx configurations. CVE-2021-21703 Local Privilege Escalation
While no dedicated exploit repository appears to have gained significant traction, the vulnerability is documented in PHP's official bug tracker with a patch available at https://bugs.php.net/patch-display.php?bug=79699&patch=fix-urldecode . CVE feeds track GitHub repositories for emerging PoC exploits. php 7.2.34 exploit github