Summary

PHP released emergency updates to fix five vulnerabilities, including two critical use-after-free flaws (CVE-2026-6722 and CVE-2026-7261) that allow unauthenticated remote code execution via the SOAP extension.

Take Action:

If you run PHP on your web servers, update immediately to version 8.2.31, 8.3.31, 8.4.21, or 8.5.6. If you can't patch right away, disable the SOAP extension as a temporary measure until the update is applied.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines