PT-2026-39458 · Php+2 · Php+2

Ilija Tovilo

Published

2026-05-10

Updated

2026-05-28

CVE-2026-7263

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description The DOMNode::C14N() method may process XML data incorrectly, leading to the creation of a circular linked list within the data structure that represents the XML document. This flaw can cause subsequent processing of the document to enter an infinite loop, resulting in a denial of service for the application.

Recommendations Update PHP version 8.4.x to 8.4.21. Update PHP version 8.5.x to 8.5.6. As a temporary workaround, restrict the use of the DOMNode::C14N() method when processing untrusted XML data.

Fix

DoS

Infinite Loop

Improper Resource Release

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835CWE-404

Related Identifiers

BIT-LIBPHP-2026-7263

BIT-PHP-2026-7263

BIT-PHP-MIN-2026-7263

CVE-2026-7263

OPENSUSE-SU-2026:10747-1

USN-8336-1

Affected Products

Linuxmint

Php

Ubuntu

PT-2026-39458 · Php+2 · Php+2

CVE-2026-7263

Weakness Enumeration

Related Identifiers

Affected Products

References · 38