Critical XSS and Memory Vulnerabilities in Oracle PHP Releases

Critical XSS and Memory Vulnerabilities in Oracle PHP Releases

First seen 7 Jul 2026, 01:50 UTC Linuxsecurity 89% similarity 74.0

Article Content

Browse articles
ThreatCluster

Oracle has released important security updates for PHP versions 7.4 and 8.0, addressing multiple vulnerabilities including critical cross-site scripting (XSS) flaws and memory management issues. The updates fix CVE-2026-6735, which allows XSS attacks through the status endpoint, and CVE-2026-7259, which involves a null pointer dereference in the mb_check_encoding function. Other vulnerabilities include CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, and CVE-2026-7258, all published on 2026-05-10. Affected systems include Oracle Linux 8 and 9, with specific updates for PHP 7.4 and 8.0. Users are urged to apply these patches immediately to mitigate potential exploitation risks. The vulnerabilities could lead to unauthorized access and data breaches if left unaddressed.

Key Points: • Critical XSS vulnerability (CVE-2026-6735) fixed in Oracle PHP updates. • Multiple memory management issues addressed in PHP versions 7.4 and 8.0. • Patches available for Oracle Linux 8 and 9; immediate application recommended.

ThreatCluster AI

Timeline

2026-05-10
Multiple CVEs published
CVE-2026-6735, CVE-2026-7259, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, and CVE-2026-7258 disclosed, affecting Oracle PHP.
Linuxsecurity
2026-05-10
CVE-2026-7258 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-7568 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-6735 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-6722 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-7262 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-7261 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-10
CVE-2026-7259 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-06
Oracle releases security updates
Oracle issued important updates for PHP 7.4 and 8.0, addressing critical vulnerabilities including XSS and memory issues.
Linuxsecurity
2026-07-06
Updates for Oracle9 PHP released
Security updates for Oracle9 PHP version 8.0.30 released, fixing similar vulnerabilities as Oracle8.
Linuxsecurity

Community

Browse all →