Vulnerability-Lookup

RHSA-2026:14125

Vulnerability from csaf_redhat - Published: 2026-05-06 12:25 - Updated: 2026-05-19 11:19

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Moderate

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: php: * php-8.5.6-1.hum1 (aarch64, x86_64) * php-bcmath-8.5.6-1.hum1 (aarch64, x86_64) * php-cli-8.5.6-1.hum1 (aarch64, x86_64) * php-common-8.5.6-1.hum1 (aarch64, x86_64) * php-dba-8.5.6-1.hum1 (aarch64, x86_64) * php-dbg-8.5.6-1.hum1 (aarch64, x86_64) * php-devel-8.5.6-1.hum1 (aarch64, x86_64) * php-embedded-8.5.6-1.hum1 (aarch64, x86_64) * php-enchant-8.5.6-1.hum1 (aarch64, x86_64) * php-ffi-8.5.6-1.hum1 (aarch64, x86_64) * php-fpm-8.5.6-1.hum1 (aarch64, x86_64) * php-gd-8.5.6-1.hum1 (aarch64, x86_64) * php-gmp-8.5.6-1.hum1 (aarch64, x86_64) * php-intl-8.5.6-1.hum1 (aarch64, x86_64) * php-ldap-8.5.6-1.hum1 (aarch64, x86_64) * php-mbstring-8.5.6-1.hum1 (aarch64, x86_64) * php-mysqlnd-8.5.6-1.hum1 (aarch64, x86_64) * php-odbc-8.5.6-1.hum1 (aarch64, x86_64) * php-pdo-8.5.6-1.hum1 (aarch64, x86_64) * php-pdo-dblib-8.5.6-1.hum1 (aarch64, x86_64) * php-pdo-firebird-8.5.6-1.hum1 (aarch64, x86_64) * php-pgsql-8.5.6-1.hum1 (aarch64, x86_64) * php-process-8.5.6-1.hum1 (aarch64, x86_64) * php-snmp-8.5.6-1.hum1 (aarch64, x86_64) * php-soap-8.5.6-1.hum1 (aarch64, x86_64) * php-sodium-8.5.6-1.hum1 (aarch64, x86_64) * php-tidy-8.5.6-1.hum1 (aarch64, x86_64) * php-xml-8.5.6-1.hum1 (aarch64, x86_64) * php-8.5.6-1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-6735

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code (Cross-Site Scripting or XSS) on their machine, potentially compromising their browser session or leading to further attacks.

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:php-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:php-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:php-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-7258

A flaw was found in PHP. Some functions, including `urldecode()`, incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-839 - Numeric Range Comparison Without Minimum Check

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:php-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:php-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:php-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

16 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:14125	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-7258	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-6735	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-6735	self
https://bugzilla.redhat.com/show_bug.cgi?id=2468562	external
https://www.cve.org/CVERecord?id=CVE-2026-6735	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6735	external
https://github.com/php/php-src/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-7258	self
https://bugzilla.redhat.com/show_bug.cgi?id=2468561	external
https://www.cve.org/CVERecord?id=CVE-2026-7258	external
https://nvd.nist.gov/vuln/detail/CVE-2026-7258	external
https://github.com/php/php-src/security/advisorie…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nphp:\n  * php-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-bcmath-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-cli-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-common-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-dba-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-dbg-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-devel-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-embedded-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-enchant-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-ffi-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-fpm-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-gd-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-gmp-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-intl-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-ldap-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-mbstring-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-mysqlnd-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-odbc-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-pdo-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-pdo-dblib-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-pdo-firebird-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-pgsql-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-process-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-snmp-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-soap-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-sodium-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-tidy-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-xml-8.5.6-1.hum1 (aarch64, x86_64)\n  * php-8.5.6-1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:14125",
        "url": "https://access.redhat.com/errata/RHSA-2026:14125"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-7258",
        "url": "https://access.redhat.com/security/cve/CVE-2026-7258"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6735",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6735"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_14125.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-05-19T11:19:32+00:00",
      "generator": {
        "date": "2026-05-19T11:19:32+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:14125",
      "initial_release_date": "2026-05-06T12:25:50+00:00",
      "revision_history": [
        {
          "date": "2026-05-06T12:25:50+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-19T11:16:22+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-19T11:19:32+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-main@aarch64",
                "product": {
                  "name": "php-main@aarch64",
                  "product_id": "php-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/php@8.5.6-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-main@src",
                "product": {
                  "name": "php-main@src",
                  "product_id": "php-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/php@8.5.6-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-main@x86_64",
                "product": {
                  "name": "php-main@x86_64",
                  "product_id": "php-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/php@8.5.6-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:php-main@aarch64"
        },
        "product_reference": "php-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:php-main@src"
        },
        "product_reference": "php-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:php-main@x86_64"
        },
        "product_reference": "php-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6735",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2026-05-10T05:00:51.510797+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2468562"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code (Cross-Site Scripting or XSS) on their machine, potentially compromising their browser session or leading to further attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:php-main@aarch64",
          "Red Hat Hardened Images:php-main@src",
          "Red Hat Hardened Images:php-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6735"
        },
        {
          "category": "external",
          "summary": "RHBZ#2468562",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468562"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6735",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6735"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6735",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6735"
        },
        {
          "category": "external",
          "summary": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv",
          "url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
        }
      ],
      "release_date": "2026-05-10T03:27:00.607000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-06T12:25:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14125"
        },
        {
          "category": "workaround",
          "details": "Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is not required, it should be disabled in the PHP-FPM configuration. Any changes to web server or PHP-FPM configuration may require a service reload or restart to take effect.",
          "product_ids": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation"
    },
    {
      "cve": "CVE-2026-7258",
      "cwe": {
        "id": "CWE-839",
        "name": "Numeric Range Comparison Without Minimum Check"
      },
      "discovery_date": "2026-05-10T05:00:48.844483+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2468561"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in PHP. Some functions, including `urldecode()`, incorrectly pass signed characters to character type (ctype) functions. On certain systems, this can lead to accessing memory with a negative offset. This vulnerability can be exploited by an attacker to trigger a denial of service (DoS), making the affected PHP application or system unavailable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:php-main@aarch64",
          "Red Hat Hardened Images:php-main@src",
          "Red Hat Hardened Images:php-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7258"
        },
        {
          "category": "external",
          "summary": "RHBZ#2468561",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468561"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7258",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7258"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7258",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7258"
        },
        {
          "category": "external",
          "summary": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4",
          "url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
        }
      ],
      "release_date": "2026-05-10T04:28:14.520000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-06T12:25:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14125"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:php-main@aarch64",
            "Red Hat Hardened Images:php-main@src",
            "Red Hat Hardened Images:php-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "PHP: PHP: Denial of Service via improper handling of signed characters in ctype functions"
    }
  ]
}

CVE-2026-6735 (GCVE-0-2026-6735)

Vulnerability from cvelistv5 – Published: 2026-05-10 03:27 – Updated: 2026-05-11 13:25

Title

XSS within PHP-FPM status endpoint

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Severity ?

7.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

CWE

CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public ?

2026-05-07 12:56

Credits

conradfd@proton.me

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6735",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:25:43.011891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:25:54.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "conradfd@proton.me"
        }
      ],
      "datePublic": "2026-05-07T12:56:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u0026nbsp;\u003cspan\u003eallows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePHP-FPM status page.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target\u0027s machine when the target is viewing the\u00a0PHP-FPM status page."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T03:27:00.607Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"
        }
      ],
      "source": {
        "advisory": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f",
        "discovery": "EXTERNAL"
      },
      "title": "XSS within PHP-FPM status endpoint",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-6735",
    "datePublished": "2026-05-10T03:27:00.607Z",
    "dateReserved": "2026-04-21T00:39:47.273Z",
    "dateUpdated": "2026-05-11T13:25:54.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7258 (GCVE-0-2026-7258)

Vulnerability from cvelistv5 – Published: 2026-05-10 04:28 – Updated: 2026-05-11 13:06

Title

Out-of-bounds read in urldecode() on NetBSD

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber

CWE

CWE-125 - Out-of-bounds Read

Assigner

php

References

1 reference

URL	Tags
https://github.com/php/php-src/security/advisorie…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
PHP Group	PHP	Affected: 8.2.* , < 8.2.31 (semver) Affected: 8.3.* , < 8.3.31 (semver) Affected: 8.4.* , < 8.4.21 (semver) Affected: 8.5.* , < 8.5.6 (semver)

Date Public ?

2026-05-07 00:00

Credits

xfourj Ilija Tovilo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7258",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T13:05:55.470310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T13:06:10.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "NetBSD"
          ],
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.2.31",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.31",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.21",
              "status": "affected",
              "version": "8.4.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.6",
              "status": "affected",
              "version": "8.5.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "xfourj"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ilija Tovilo"
        }
      ],
      "datePublic": "2026-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u0026nbsp;\u003ccode\u003eisxdigit()\u003c/code\u003e). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u0026nbsp;can trigger a denial of service."
            }
          ],
          "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like\u00a0isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which\u00a0can trigger a denial of service."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T04:45:03.566Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4"
        }
      ],
      "source": {
        "advisory": "GHSA-m8rr-4c36-8gq4",
        "discovery": "EXTERNAL"
      },
      "title": "Out-of-bounds read in urldecode() on NetBSD",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2026-7258",
    "datePublished": "2026-05-10T04:28:14.520Z",
    "dateReserved": "2026-04-28T04:58:17.457Z",
    "dateUpdated": "2026-05-11T13:06:10.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:14125

CVE-2026-6735 (GCVE-0-2026-6735)

CVE-2026-7258 (GCVE-0-2026-7258)

Tags

Sightings

Nomenclature