Home · Live brief · Weekly 2026-W20
CVE-2026-6722 — PHP SOAP UAF in SOAP_GLOBAL(ref_map) (with companions CVE-2026-7261 / CVE-2026-7262)
notable vulnerability discovered 2026-05-11 05:00 UTC
Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)
PHP SOAP-extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5, with two related companions (CVE-2026-7261 and CVE-2026-7262, both SOAP-class, CVSS 6.3 each). Patched on 2026-05-07 in PHP 8.5.6 and equivalents across maintained 8.4 / 8.3 / 8.2 branches per the official PHP GHSA. No ITW exploitation at week-end; daily 2026-05-11 recommends explicit patch validation for any web-facing PHP infrastructure with SOAP enabled (daily 2026-05-11; PHP GHSA-85c2-q967-79q5).