CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

USN-8513-1: PHP vulnerabilities

unknownCVE-2026-6722CVE-2026-7261CVE-2025-14179
It was discovered that PHP incorrectly handled SOAP object deduplication when processing apache:Map nodes with duplicate keys. An attacker could possibly use this to cause a use-after-free, resulting in remote code execution. (CVE-2026-6722) It was discovered that PHP incorrectly handled SOAP request persistence when configured with SOAP_PERSISTENCE_SESSION. An attacker could possibly use this to cause a use-after-free, resulting in memory corruption, information disclosure, or a denial of service. (CVE-2026-7261) It was discovered that the PDO Firebird driver in PHP improperly handled NUL bytes when quoting SQL query strings. An attacker could possibly use this to perform SQL injection when attacker-controlled values are embedded in SQL statements. (CVE-2025-14179)

CSIRTS triage

What
Multiple vulnerabilities could lead to remote code execution, memory corruption, or SQL injection.
Who is affected
Deployments of PHP that utilize the affected features.
Urgency
Remediation is critical due to the potential for severe impacts including remote code execution.
Action
Update PHP to the latest version.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch PHP

Get an email when a new PHP advisory drops — max one per day, one-click unsubscribe.

Details

Source
Ubuntu Security Notices (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://ubuntu.com/security/notices/USN-8513-1

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-6722coverage & exploitation statusNVD · CVE.org
CVE-2026-7261coverage & exploitation statusNVD · CVE.org
CVE-2025-14179coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from Ubuntu Security Notices