cbcvebase.
CVE-2026-7261
published 2026-05-10

CVE-2026-7261: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with…

PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.8th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianphp8.4
phpphp
phpphp>= 8.2.0 < 8.2.318.2.31
phpphp>= 8.3.0 < 8.3.318.3.31
phpphp>= 8.4.0 < 8.4.218.4.21
phpphp>= 8.5.0 < 8.5.68.5.6
php_7.4php
php_8.2php
php_8.3php
php_groupphp>= 8.2.* < 8.2.318.2.31
php_groupphp>= 8.3.* < 8.3.318.3.31
php_groupphp>= 8.4.* < 8.4.218.4.21
php_groupphp>= 8.5.* < 8.5.68.5.6
ubuntuphp8.1
ubuntuphp8.3
ubuntuphp8.4
ubuntuphp8.5

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:M/U:Amber
vendor_redhat9.8CRITICAL
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.