NVD HIGH: CVE-2026-7262 — In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, a...

Sunday, May 10, 2026 at 05:16 AM UTC·Source: NIST NVD

Updated: Thursday, May 14, 2026 at 09:00 PM UTC

Executive Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP serv

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2026-7262

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 10, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Friday Squid Blogging: Bigfin Squid

Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy.

1h agoSchneier on Security

MEDIUMVulnerability

Colorado governor commutes prison sentence for election denier Tina Peters

Peters was sentenced to nine years for stealing voting data and has been publicly unrepentant. But Colorado Governor Jared Polis has been hinting at the decision for months. The post Colorado governor commutes prison sentence for election denier Tina Peters appeared first on CyberScoop .

3h agoCyberScoop

MEDIUMVulnerability

More than $10 million stolen from crypto platform THORChain

THORChain officials said the investigation into the incident is ongoing but explained that one of their six vaults was compromised, leading to a loss of about $10.7 million.

7h agoThe Record