VDB
CVE-2026-7262
CVE-2026-7262
PUBLISHED
CVSS 2.9000000953674316 LOW
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
EPSS 0.13% · 33.0th percentile
Risk Scores
CVSS v4.0
2.9000000953674316
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/RE:M/U:Amber
EPSS Score
0.13%
33.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PHP Group | PHP | 8.3.*, 8.4.*, * |
Timeline
- May 8, 2026 PoC Published
- May 8, 2026 PoC Published
- May 10, 2026 EPSS Score
- May 10, 2026 CVE Published
- May 11, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score