{"id":"MGASA-2026-0127","summary":"Updated php packages fix security vulnerabilities","details":"FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint).\n(CVE-2026-6735)\nMBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in\nphp_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)\nOpenSSL: Fix compatibility issues with OpenSSL 4.0.\nPDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in\nquoted strings). (CVE-2025-14179)\nSOAP:\n- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with\nApache Map). (CVE-2026-6722)\n- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure\nwith SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)\n- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).\n(CVE-2026-7262)\nStandard:\n- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array\noffset). (CVE-2026-7568)\n- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h\nfunctions). (CVE-2026-7258)\n","modified":"2026-05-13T07:32:53.391885547Z","published":"2026-05-13T07:00:52Z","upstream":["CVE-2025-14179","CVE-2026-6722","CVE-2026-6735","CVE-2026-7258","CVE-2026-7259","CVE-2026-7261","CVE-2026-7262","CVE-2026-7568"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0127.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35481"},{"type":"WEB","url":"https://www.php.net/ChangeLog-8.php#8.2.31"}],"affected":[{"package":{"name":"php","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/php?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.2.31-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0127.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}