Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP Out-of-bounds Read Vulnerability (CVE-2026-7258)

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

Remediation

References

Related Vulnerabilities

WordPress Plugin Contact Form by Supsystic Cross-Site Scripting (1.7.14)

Oracle Database Server Other Vulnerability (CVE-2005-3444)

MongoDb Improper Check for Unusual or Exceptional Conditions Vulnerability (CVE-2019-20924)

ownCloud Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2013-0299)

GeoServer Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-51444)

Severity

High

Classification

CVE-2026-7258 CWE-125 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities