CVE-2026-7263 MEDIUM

CVE-2026-7263: DoS attack via DOMNode::C14N()

Vendor Php Group
Product PHP
Weakness CWE-404
Published May 10, 2026
Last update June 30, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber

What the vulnerability does

01Description

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

Key dates

02Disclosure timeline

May 10, 2026 CVE published
June 30, 2026 Record updated