CVE-2026-7263 - Vulnerability Details - OpenCVE

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Key SSVC decision points have not yet been added.

Vendors	Products
Php Group	Php

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Php Group	Php

References

Link	Providers
https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733

History

Sun, 10 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php Group Php Group php
Vendors & Products		Php Group Php Group php

Sun, 10 May 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Title		DoS attack via DOMNode::C14N()
Weaknesses		CWE-404 CWE-835
References		https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: php

Published: 2026-05-10T04:43:04.483Z

Updated: 2026-05-10T04:46:28.150Z

Reserved: 2026-04-28T05:12:25.217Z

Link: CVE-2026-7263

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-10T06:16:08.343

Modified: 2026-05-10T06:16:08.343

Link: CVE-2026-7263

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-10T07:30:05Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7263", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2026-04-28T05:12:25.217Z", "datePublished": "2026-05-10T04:43:04.483Z", "dateUpdated": "2026-05-10T04:46:28.150Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2026-05-10T04:46:28.150Z"}, "title": "DoS attack via DOMNode::C14N()", "datePublic": "2026-05-07T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-835", "description": "CWE-835 Loop with unreachable exit condition ('infinite loop')", "type": "CWE"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "packageName": "dom", "versions": [{"status": "affected", "version": "8.4.*", "lessThan": "8.4.21", "versionType": "semver"}, {"status": "affected", "version": "8.5.*", "lessThan": "8.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, <code>DOMNode::C14N()</code> method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.<div><br></div>"}]}], "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/RE:M/U:Amber"}}], "credits": [{"lang": "en", "value": "Nikita Sveshnikov (Positive Technologies)", "type": "finder"}, {"lang": "en", "value": "Ilija Tovilo", "type": "remediation reviewer"}], "source": {"advisory": "GHSA-4jhr-8w89-j733", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N()\u00a0method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application."}], "id": "CVE-2026-7263", "lastModified": "2026-05-10T06:16:08.343", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@php.net", "type": "Secondary"}]}, "published": "2026-05-10T06:16:08.343", "references": [{"source": "security@php.net", "url": "https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-835"}], "source": "security@php.net", "type": "Secondary"}]}