unknown

PHP released simultaneous security updates on May 7, 2026 for all four supported branches (8.5.6, 8.4.21, 8.3.31, 8.2.31). Key fixes include: CVE-2026-6735, an XSS vulnerability in the PHP-FPM status page that reflects unsanitized URIs; three SOAP extension memory bugs (use-after-free, stale pointer, broken NULL check) affecting SOAP_PERSISTENCE_SESSION; two MBString memory issues (null pointer dereference and out-of-bounds access); and standard library fixes for integer overflow in metaphone() and an unsigned-char bug. Additional patches cover DOM extension XML issues and a PDO_Firebird SQL injection via NUL bytes. All PHP 8.2–8.5 versions prior to the patched releases are affected; PHP 8.1 and older no longer receive security updates.

PHP 8.5.6 / 8.4.21 / 8.3.31 / 8.2.31: What's Actually in the May Security Patch

Welcome to PHP Dev, a dedicated space for sharing knowledge about PHP and its ecosystem (only PHP directly related).
Help us find good articles and blogposts and provide links. Upvote or downvote, after reading, it's essential