It was discovered that PHP incorrectly handled SOAP object deduplication
when processing apache:Map nodes with duplicate keys. An attacker could
possibly use this to cause a use-after-free, resulting in remote code
execution. (CVE-2026-6722)
It was discovered that PHP incorrectly handled SOAP request persistence when
configured with SOAP_PERSISTENCE_SESSION. An attacker could possibly use this
to cause a use-after-free, resulting in memory corruption, information
disclosure, or a denial of service. (CVE-2026-7261)
It was discovered that the PDO Firebird driver in PHP improperly handled NUL
bytes when quoting SQL query strings. An attacker could possibly use this to
perform SQL injection when attacker-controlled values are embedded in SQL
statements. (CVE-2025-14179)
It was discovered that PHP incorrectly handled SOAP object deduplication
when processing apache:Map nodes with duplicate keys. An attacker could
possibly use this to cause a use-after-free, resulting in remote code
execution. (CVE-2026-6722)
It was discovered that PHP incorrectly handled SOAP request persistence when
configured with SOAP_PERSISTENCE_SESSION. An attacker could possibly use this
to cause a use-after-free, resulting in memory corruption, information
disclosure, or a denial of service. (CVE-2026-7261)
It was discovered that the PDO Firebird driver in PHP improperly handled NUL
bytes when quoting SQL query strings. An attacker could possibly use this to
perform SQL injection when attacker-controlled values are embedded in SQL
statements. (CVE-2025-14179)
