ctipilot.ch

Home · Live brief · Weekly 2026-W20

CVE-2026-6722 — PHP SOAP UAF in SOAP_GLOBAL(ref_map) (with companions CVE-2026-7261 / CVE-2026-7262)

notable vulnerability discovered 2026-05-11 05:00 UTC

Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)

PHP SOAP-extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5, with two related companions (CVE-2026-7261 and CVE-2026-7262, both SOAP-class, CVSS 6.3 each). Patched on 2026-05-07 in PHP 8.5.6 and equivalents across maintained 8.4 / 8.3 / 8.2 branches per the official PHP GHSA. No ITW exploitation at week-end; daily 2026-05-11 recommends explicit patch validation for any web-facing PHP infrastructure with SOAP enabled (daily 2026-05-11; PHP GHSA-85c2-q967-79q5).

vulnerabilities rce patch-available global CVE-2026-6722 CVE-2026-7261 CVE-2026-7262