CVE-2026-6722
A use-after-free issue was discovered in the SOAP extension which
may lead to remote code execution when an apache:Map node contains
duplicate key.
CVE-2026-6735
Conrad Draper discovered that the request URI within the PHP-FPM
status page was improperly sanitized, thereby allowing cross-site
scripting (XSS).
CVE-2026-7258
An out-of-bounds read issue was discovered in `urldecode()`, which
may lead to denial of service on some platforms.
CVE-2026-7261
Ilia Alshanetsky discovered a use-after-free issue after header
parsing failure when SoapServer is configured with
SOAP_PERSISTENCE_SESSION, which may lead to denial of service.
CVE-2026-7262
Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP
apache:Map decoder with missing `
to denial of service.
CVE-2026-7568
Aleksey Solovev discovered a signed integer overflow in the
`metaphone()` function from the PHP standard library.
Get the latest Linux and open source security news straight to your inbox.