| Package | php7.3 |
|---|---|
| Version | 7.3.31-1~deb10u13 (buster) |
| Related CVEs | CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7261 CVE-2026-7262 CVE-2026-7568 |
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in remote code execution, information disclosure, denial of service.
- CVE-2026-6722
-
A use-after-free issue was discovered in the SOAP extension which may lead to remote code execution when an
apache:Mapnode contains duplicate keys. - CVE-2026-6735
-
Conrad Draper discovered that the request URI within the PHP-FPM status page was improperly sanitized, thereby allowing cross-site scripting (XSS).
- CVE-2026-7258
-
An out-of-bounds read issue was discovered in
urldecode(), which may lead to denial of service on some platforms. - CVE-2026-7261
-
Ilia Alshanetsky discovered a use-after-free issue after header parsing failure when SoapServer is configured with
SOAP_PERSISTENCE_SESSION, which may lead to denial of service. - CVE-2026-7262
-
Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP
apache:Mapdecoder with a missing<value>element, which may lead to denial of service. - CVE-2026-7568
-
Aleksey Solovev discovered a signed integer overflow in the
metaphone()function from the PHP standard library.
For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u13.
We recommend that you upgrade your php7.3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.