PHP Just Patched Every Supported Branch at Once. Here's Why That Matters.
On May 7, the PHP project shipped security releases across every supported branch at once: 8.5.6, 8.4.21, 8.3.31, and 8.2.31. Coordinated releases like this usually mean one thing — the fixes matter.
What got fixed
- CVE-2026-6735 (CVSS 7.3): a cross-site scripting flaw in PHP-FPM's status page. If your FPM status endpoint is exposed — and on a surprising number of servers, it quietly is — this is your reminder to lock it down and patch.
- A SoapServer use-after-free: memory corruption bugs in SOAP handling are the kind of thing that starts as a crash and matures into an exploit. Legacy integrations love SOAP; attackers love legacy integrations.
- Assorted string-handling fixes that close off smaller memory-safety issues.
The boring metric that predicts breaches
Here's an unglamorous truth from three decades of running PHP servers: the difference between sites that get compromised and sites that don't is rarely some exotic zero-day. It's patch latency — the gap between a fix shipping and a fix being applied.
Most exploitation happens in that gap. Attackers read release notes too, and a published patch is effectively a map to the vulnerability. When a coordinated release like this lands, the clock starts.
What to do this week
Check your PHP version (php -v, or ask your host). If you're on a supported branch, the update should already be applied or scheduled — within days, not quarters. If you're on an unsupported branch (8.1 or older), patches like this no longer reach you at all, and the upgrade conversation is overdue.
On our managed platforms this release was rolled out the week it shipped, the way patches should be: quietly, promptly, and without anyone's site noticing. That cadence isn't heroics — it's just the job.
