CVE-2026-7263

UNKNOWN 0.0

DoS attack via DOMNode::C14N()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

CWE	CWE-404 CWE-835
Vendor	php group
Product	php
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for php group php

Be the first to know when new unknown vulnerabilities affecting php group php are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PHP Group / PHP

8.4.* < 8.4.21 8.5.* < 8.5.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733

Credits

Nikita Sveshnikov (Positive Technologies) Ilija Tovilo