VDB

CVE-2026-7263

CVE-2026-7263 PUBLISHED CVSS 6.3 MEDIUM

Reported by php · Published May 10, 2026

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

EPSS 0.05% · 17.5th percentile

Risk Scores

CVSS v4.0
6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber
EPSS Score
0.05%
17.5th percentile

Affected Products

VendorProductVersions
PHP GroupPHP8.4.*, 8.5.*
PHP GroupPHP8.4.*, *

Timeline

  • May 8, 2026 PoC Published
  • May 10, 2026 EPSS Score
  • May 10, 2026 CVE Published
  • May 11, 2026 Security Advisory
  • May 11, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

  • vendor-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›