This work addresses long-standing challenges in PHP vulnerability detection, including insufficient semantic precision in static analysis, high overhead in dynamic analysis, coarse-grained localization, and the absence of large-scale datasets and unified toolchains. The authors propose an end-to-end framework that integrates AST-based structural analysis, data-flow augmentation, and pretrained code embeddings to generate vulnerability hypotheses, followed by syntax-guided tracing, chain-of-thought LLM reasoning, and causal consistency verification for fine-grained root cause localization. They introduce PHPVD, the first large-scale PHP vulnerability dataset, and develop a synergistic pipeline comprising SIFT-VulMiner, SAFE-VulMiner, and ISAL modules. Experiments demonstrate 99.7% accuracy and 99.5% F1-score on public benchmarks, along with an 81.0% localization success rate on PHPVD; real-world deployment uncovered 429 previously unknown vulnerabilities, 351 of which have been assigned CVE identifiers.

PHP's dominance in web development is undermined by security challenges: static analysis lacks semantic depth, causing high false positives; dynamic analysis is computationally expensive; and automated vulnerability localization suffers from coarse granularity and imprecise context. Additionally, the absence of large-scale PHP vulnerability datasets and fragmented toolchains hinder real-world deployment. We present AutoVulnPHP, an end-to-end framework coupling two-stage vulnerability detection with fine-grained automated localization. SIFT-VulMiner (Structural Inference for Flaw Triage Vulnerability Miner) generates vulnerability hypotheses using AST structures enhanced with data flow. SAFE-VulMiner (Semantic Analysis for Flaw Evaluation Vulnerability Miner) verifies candidates through pretrained code encoder embeddings, eliminating false positives. ISAL (Incremental Sequence Analysis for Localization) pinpoints root causes via syntax-guided tracing, chain-of-thought LLM inference, and causal consistency checks to ensure precision. We contribute PHPVD, the first large-scale PHP vulnerability dataset with 26,614 files (5.2M LOC) across seven vulnerability types. On public benchmarks and PHPVD, AutoVulnPHP achieves 99.7% detection accuracy, 99.5% F1 score, and 81.0% localization rate. Deployed on real-world repositories, it discovered 429 previously unknown vulnerabilities, 351 assigned CVE identifiers, validating its practical effectiveness.