CVEs affecting projects tracked on Release Alert, from NVD & OSV.
PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.