cbcvebase.
CVE-2026-7263
published 2026-05-10

CVE-2026-7263: In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.35%
27.2th percentile
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianphp8.4
phpphp
phpphp>= 8.4.0 < 8.4.218.4.21
phpphp>= 8.5.0 < 8.5.68.5.6
php_7.4php
php_8.2php
php_8.3php
php_groupphp>= 8.4.* < 8.4.218.4.21
php_groupphp>= 8.5.* < 8.5.68.5.6
ubuntuphp8.1
ubuntuphp8.3
ubuntuphp8.4
ubuntuphp8.5

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber
vendor_ubuntu7.4HIGH
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.