These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-7263 is a medium-severity PHP denial-of-service issue in DOMNode::C14N(). In affected PHP releases, incorrect XML processing can corrupt the document structure into a circular linked list, and later processing may loop indefinitely. The practical risk is application hang or service degradation for workloads that canonicalize or further process XML documents.
CVE-2026-6104 is a PHP mbstring vulnerability disclosed on 2026-05-10. In affected PHP 8.4.* and 8.5.* releases, an encoding name containing an embedded NUL byte can make mbstring incorrectly treat a strncasecmp() match as proof that the strings are the same length. That logic error can lead to an out-of-bounds read of global memory, which may result in a crash or information disclosure.
CVE-2026-7568 is a PHP availability issue in the metaphone() function. According to the published description, very large inputs can trigger signed integer overflow in the position-tracking logic, which can result in undefined behavior, an out-of-bounds read, and process instability such as a crash or access to unrelated memory. The issue is documented for PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4 [truncated]
CVE-2026-7262 is a denial-of-service vulnerability in PHP’s SOAP server handling when a typemap is configured. In affected releases, a decoding mistake checks the wrong variable when a value element is missing, leading to a NULL pointer dereference and segmentation fault. A remote unauthenticated attacker can trigger a crash in the PHP SOAP server process.
CVE-2026-7261 is a PHP vulnerability in SoapServer session persistence that can turn a SOAP request error into a use-after-free condition. The issue affects PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 when SOAP_PERSISTENCE_SESSION is enabled. Because the handler object is persisted across requests via session storage, incorrect cleanup on error can leave a dan [truncated]
CVE-2026-7259 is a low-severity PHP denial-of-service issue. In affected PHP releases, a mismatch between Oniguruma and mbfl encoding lists can lead to a NULL pointer dereference and segmentation fault when user-controlled input can influence the encoding passed to mb_regex_encoding(). The practical risk is application crash rather than code execution or data loss, but exposed services can still suffer av [truncated]
CVE-2026-7258 is a denial-of-service issue in PHP’s handling of some input-processing functions, including urldecode(). On affected systems with default signed char behavior and optimized table-lookup ctype implementations, a negative array offset may be accessed, which can crash the process. The issue was published on 2026-05-10 and is rated CVSS 6.3 (Medium).
CVE-2026-6722 is a critical PHP vulnerability in the SOAP extension’s object deduplication path. According to the published description, stale pointers can remain in a global map without proper reference counting, leading to a use-after-free when duplicate SOAP map entries and href references are processed. In affected releases, attacker-controlled SOAP request bodies may be able to trigger remote code ex [truncated]
CVE-2025-14179 is a high-severity SQL injection issue in PHP's PDO Firebird driver. In affected releases, a NUL byte inside quoted string data can cause the driver to drop the closing quote during query construction, which may let later SQL tokens be parsed as part of the attacker-controlled string.
CVE-2024-4577 is a PHP-CGI OS command injection vulnerability in PHP that CISA lists in its Known Exploited Vulnerabilities catalog. That makes it a high-priority issue for defenders, especially because CISA also marks it as associated with known ransomware campaign use. The supplied sources do not include affected versions or patch details, so remediation should follow vendor instructions and CISA guidance.