Potential Denial of Service in PHP's XML Processing
CVE-2026-7263

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-7263?

In specific versions of PHP, the DOMNode::C14N() method mishandles XML data, potentially creating a circular linked list in the document's data structure. This malfunction may lead to infinite loops during XML processing in applications, resulting in denial of service. It is crucial for users of affected PHP versions to apply available security updates and safeguard their applications from potential disruptions.

Affected Version(s)

PHP 8.4.* < 8.4.21

PHP 8.5.* < 8.5.6

References

https://github.com/php/php-src/security/advisories/GHSA-4...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Nikita Sveshnikov (Positive Technologies)

Ilija Tovilo

CVE-2026-7263 Data

JSON

PHP Group

What is CVE-2026-7263?

Affected Version(s)

References

CVSS V4

Timeline

Credit