Critical: kusanagi-php82 Security Update

Security Advisory

Synopsis

Issued 2026-05-12
Severity Critical
Updated Packages kusanagi-php82
Affected Products KUSANAGI 9, Business Edition, Security Edition

Description

An update for kusanagi-php82 is now available.

Security fix(es):

  • Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
  • Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
  • Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179)
  • Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722)
  • Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)
  • Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262)
  • Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568)
  • Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.

References

Updated packages listed below

This product uses the NVD API but is not endorsed or certified by the NVD.

kusanagi-php82 Module Update 8.2.31-1

Share:

KUSANAGI Open Source Licenses | KUSANAGI Business Edition, Premium Edition, Security Edition End-User License Agreement

KUSANAGI Logo and Mascots | Privacy Policy | Vulnerability Disclosure Policy | Contact US

© 2015 - 2026 GMO Prime Strategy Co., Ltd. All rights reserved