Home · Briefs · CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026)
CVE-2026-6722 — PHP SOAP UAF in `SOAP_GLOBAL(ref_map)` (with companions CVE-2026-7261 / CVE-2026-7262)
From CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026) · published 2026-05-17
PHP SOAP-extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5, with two related companions (CVE-2026-7261 and CVE-2026-7262, both SOAP-class, CVSS 6.3 each). Patched on 2026-05-07 in PHP 8.5.6 and equivalents across maintained 8.4 / 8.3 / 8.2 branches per the official PHP GHSA. No ITW exploitation at week-end; daily 2026-05-11 recommends explicit patch validation for any web-facing PHP infrastructure with SOAP enabled (daily 2026-05-11; PHP GHSA-85c2-q967-79q5).