CVE-2026-7263
DoS attack via DOMNode::C14N()
7.5
HIGH
CVSS 3.1
EPSS 0.06%
Description
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
How to fix CVE-2026-7263
To remediate CVE-2026-7263, upgrade the affected package to a fixed version below.
- —upgrade to 8.4.21 or later
- —upgrade to 8.4.21 or later
- —upgrade to 8.4.21 or later
- —upgrade to 8.4.21-1~deb13u1 or later
Is CVE-2026-7263 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- from 0, < 8.4.21-1~deb13u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |