https://www.cvedetails.com/vulnerability-list.php?vendor_id=...
And just 10 days ago:
Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.
https://www.securityweek.com/critical-packagist-vulnerabilit...
And this source says PHP is the 2nd most vulnerable server-side language in the world.
https://www.thewebmonkeyonline.com/php-security-issues-you-n...