PHP 8.5.6 / 8.4.21 / 8.3.31 / 8.2.31: What's Actually in the May Security Patch
On May 7, 2026, the PHP team released simultaneous security updates across all four supported branches: PHP 8.5.6, 8.4.21, 8.3.31, and 8.2.31. The release is classified as a security update for every branch, which means the usual “I’ll get to it next maintenance window” calculus does not apply here. If you run PHP-FPM — and most modern hosting stacks do — there is an XSS vulnerability patched in this release that deserves your attention today. ...