Synopsis
| Issued | 2026-05-13 |
| Severity | Critical |
| Updated Packages | kusanagi-php85 |
| Affected Products | Business Edition, KUSANAGI 9, Security Edition |
Description
An update for kusanagi-php85 is now available.
Security fix(es):
- Fixed GHSA-4jhr-8w89-j733 and GH-21566 (DomXMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
- Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
- Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
- Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104)
- Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179)
- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722)
- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)
- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262)
- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568)
- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258)
- Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison). (CVE-2026-42371)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.
References
- CVE-2026-7263
- CVE-2026-6735
- CVE-2026-7259
- CVE-2026-6104
- CVE-2025-14179
- CVE-2026-6722
- CVE-2026-7261
- CVE-2026-7262
- CVE-2026-7568
- CVE-2026-7258
- CVE-2026-42371
