On May 7, 2026, the PHP team released simultaneous security updates across all four supported branches: PHP 8.5.6, 8.4.21, 8.3.31, and 8.2.31. The release is classified as a security update for every branch, which means the usual “I’ll get to it next maintenance window” calculus does not apply here. If you run PHP-FPM — and most modern hosting stacks do — there is an XSS vulnerability patched in this release that deserves your attention today.

The FPM Status Page XSS (CVE-2026-6735)

CVE-2026-6735 is the most straightforward of the batch: the PHP-FPM status endpoint reflects the request URI into an HTML response without properly sanitizing it. CVSS 4.0 score of 7.3. An attacker who can trick someone with access to the FPM status page into following a crafted URL gets arbitrary JavaScript execution in that person’s browser — potentially useful for session theft if, for example, the status page is exposed to an internal monitoring dashboard.

The fix is simple: update PHP. The status page should also not be publicly accessible in the first place, but that is a separate conversation.

Three SOAP Memory Bugs (CVE-2026-7261, CVE-2026-6722, CVE-2026-7262)

PHP’s SOAP extension received three related patches for memory-management errors that occur when the Apache-style map mechanism is involved in request handling.

CVE-2026-7261 is a use-after-free: when a SoapServer using SOAP_PERSISTENCE_SESSION encounters a header parsing error, it frees the handler object but retains a pointer to it. Any subsequent access to that pointer is undefined behaviour — in practice, memory corruption or a crash. CVE-2026-6722 covers a similar stale-pointer problem with the Apache map’s ref_map, and CVE-2026-7262 plugs a broken NULL check in the same code path. These three travel together and were fixed together.

If you run SOAP-based integrations — payment gateways, ERP connectors, legacy enterprise APIs — this is worth treating as urgent.

MBString: Two More Memory Issues (CVE-2026-7259, CVE-2026-6104)

CVE-2026-7259 is a null pointer dereference triggered by passing certain inputs to mb_ereg_search_init(). CVE-2026-6104 is an out-of-bounds memory access in mbfl_name2encoding_ex(). Both affect PHP 8.2 through 8.5 and can be reached via malformed or attacker-controlled string data. Turkish-language sites and any application that processes multibyte character sets are disproportionately exposed to the mb_* family of functions.

Standard Library: Integer Overflow and Unsigned-Char Bug (CVE-2026-7568, CVE-2026-7258)

CVE-2026-7568 patches a signed integer overflow in the metaphone() function’s character array offset calculation. CVE-2026-7258 ensures that ctype.h functions receive unsigned char values, which is the C standard’s requirement that PHP was quietly violating on certain platforms. Neither is a headline-grabbing RCE, but both are the kind of undefined-behaviour landmine that automated exploit scanners increasingly know how to poke at.

Other Security Fixes

The DOM extension received patches for CVE-2026-7263 (duplicate XML namespace declarations in C14N()) and a lexbor HTML parser upgrade that bundles CVE-2026-29078 and CVE-2026-29079. The PDO_Firebird driver was patched for CVE-2025-14179, an SQL injection via NUL bytes in quoted strings.

Which Versions Are Affected?

All of PHP 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6 carry these vulnerabilities. PHP 8.1 and older are no longer receiving security updates — if you’re still on those branches, the only real answer is migration.

What This Means for kalfaoglu.net Customers

Servers running cPanel, DirectAdmin, or Plesk will receive PHP updates through those control panels’ update mechanisms. If you use EasyApache 4 on cPanel, the patched PHP builds should already be in the repository — run your panel’s “PHP Update” task or contact support to confirm your active PHP version. For Debian/Ubuntu stacks using Ondřej Surý’s Sury repository, apt-get update && apt-get upgrade php8.4-fpm (adjust branch as needed) is all it takes.

If you are unsure which PHP version your site is running, you can check via your hosting control panel’s PHP selector, or ask support to run php -v for you. The target version strings to look for are 8.5.6, 8.4.21, 8.3.31, or 8.2.31 depending on your branch.

The FPM XSS alone justifies treating this as a routine-but-prompt update rather than something to defer. The SOAP and MBString fixes make it more urgent for anyone running integrations or multilingual content.

Sources: PHP 8.4.21 changelog at PHP.Watch · GHSA-7qg2-v9fj-4mwv (FPM XSS) · GHSA-m33r-qmcv-p97q (SOAP UAF) · NVD CVE-2026-6735 · Debian/Sury release notes