From 4cd51d2ae8cfc95f3393faeea5fbefd09c769089 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 19 May 2026 11:50:05 +0200
Subject: Fix XSS within status endpoint

  CVE-2026-6735
Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
  CVE-2026-7261
Fix Broken Apache map value NULL check
  CVE-2026-7262
---
 failed.txt              |   2 +-
 php-cve-2026-6735.patch | 226 ++++++++++++++++++++++++++++++++++++++++++++++++
 php-cve-2026-7261.patch | 150 ++++++++++++++++++++++++++++++++
 php-cve-2026-7262.patch | 121 ++++++++++++++++++++++++++
 php-fpm.service         |   2 +-
 php.spec                |  20 ++++-
 6 files changed, 516 insertions(+), 5 deletions(-)
 create mode 100644 php-cve-2026-6735.patch
 create mode 100644 php-cve-2026-7261.patch
 create mode 100644 php-cve-2026-7262.patch

diff --git a/failed.txt b/failed.txt
index 18493f3..c654b29 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.6.40-45 (2024-12-06)
+===== 5.6.40-46 (2026-05-19)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
 
diff --git a/php-cve-2026-6735.patch b/php-cve-2026-6735.patch
new file mode 100644
index 0000000..ba1dbb0
--- /dev/null
+++ b/php-cve-2026-6735.patch
@@ -0,0 +1,226 @@
+From 3322601b31ccedeb13a3203bbe5fd7b6cb4679a9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 19 May 2026 09:47:08 +0200
+Subject: [PATCH 5/5] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint
+
+Fixes GHSA-7qg2-v9fj-4mwv
+Fixes CVE-2026-6735
+
+(cherry picked from commit 99a5ad7441de9914246c7863adb6997396008b9d)
+(cherry picked from commit 943de7efee24c0e7d826a3469d3b35b4ad0f4193)
+---
+ NEWS                                          |  4 ++
+ sapi/fpm/fpm/fpm_status.c                     | 20 ++++--
+ .../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 62 +++++++++++++++++++
+ 3 files changed, 82 insertions(+), 4 deletions(-)
+ create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+
+diff --git a/NEWS b/NEWS
+index b46e2b0c5d..d8ae595068 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP                                                                        NEWS
+ 
+ Backported from 8.2.31
+ 
++- FPM:
++  . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
++    (Jakub Zelenka)
++
+ - SOAP:
+   . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
+     SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
+diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c
+index a2ee398d29..d9a8263089 100644
+--- a/sapi/fpm/fpm/fpm_status.c
++++ b/sapi/fpm/fpm/fpm_status.c
+@@ -384,8 +384,8 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
+ 		/* no need to test the var 'full' */
+ 		if (full_syntax) {
+ 			int i, first;
+-			size_t len;
+-			char *query_string;
++			size_t len, len_uri;
++			char *query_string, *request_uri_string;
+ 			struct timeval duration, now;
+ #ifdef HAVE_FPM_LQ
+ 			float cpu;
+@@ -412,13 +412,22 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
+ 					}
+ 				}
+ 
++				request_uri_string = NULL;
++				len_uri = 0;
++				if (proc.request_uri[0] != '\0') {
++					if (!encode) {
++						request_uri_string = proc.request_uri;
++					} else {
++						request_uri_string = php_escape_html_entities_ex((unsigned char *)proc.request_uri, strlen(proc.request_uri), &len_uri, 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, NULL, 1 TSRMLS_CC);
++					}
++				}
+ 				query_string = NULL;
+ 				len = 0;
+ 				if (proc.query_string[0] != '\0') {
+ 					if (!encode) {
+ 						query_string = proc.query_string;
+ 					} else {
+-						query_string = php_escape_html_entities_ex((unsigned char *)proc.query_string, strlen(proc.query_string), &len, 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT, NULL, 1 TSRMLS_CC);
++						query_string = php_escape_html_entities_ex((unsigned char *)proc.query_string, strlen(proc.query_string), &len, 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, NULL, 1 TSRMLS_CC);
+ 					}
+ 				}
+ 
+@@ -445,7 +454,7 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
+ 					proc.requests,
+ 					duration.tv_sec * 1000000UL + duration.tv_usec,
+ 					proc.request_method[0] != '\0' ? proc.request_method : "-",
+-					proc.request_uri[0] != '\0' ? proc.request_uri : "-",
++					request_uri_string ? request_uri_string: "-",
+ 					query_string ? "?" : "",
+ 					query_string ? query_string : "",
+ 					proc.content_length,
+@@ -461,6 +470,9 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
+ 				if (len > 0 && query_string) {
+ 					efree(query_string);
+ 				}
++				if (len_uri > 0 && request_uri_string) {
++					efree(request_uri_string);
++				}
+ 			}
+ 
+ 			if (full_post) {
+diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+new file mode 100644
+index 0000000000..55827b1bc8
+--- /dev/null
++++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+@@ -0,0 +1,62 @@
++--TEST--
++FPM: Test status page
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++include "include.inc";
++
++$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
++$port = 9000+PHP_INT_SIZE;
++
++$cfg = <<<EOT
++[global]
++error_log = $logfile
++[unconfined]
++listen = 127.0.0.1:$port
++pm.status_path = /status
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 2
++pm.min_spare_servers = 2
++pm.max_spare_servers = 3
++EOT;
++
++$fpm = run_fpm($cfg, $tail);
++if (is_resource($fpm)) {
++    fpm_display_log($tail, 2);
++    try {
++
++		$html = run_request('127.0.0.1', $port, '/<script>alert(1)</script>', '<script>alert(2)</script>');
++
++		$html = run_request('127.0.0.1', $port, '/status', 'full&html');
++		var_dump(strpos($html, 'text/html') && strpos($html, 'DOCTYPE') && strpos($html, 'PHP-FPM Status Page'));
++		var_dump(strpos($html, 'alert(1)') && strpos($html, 'alert(2)'));
++		var_dump(strpos($html, '<script>'));
++		//var_dump($html);
++
++		echo "IPv4 ok\n";
++	} catch (Exception $e) {
++		echo "IPv4 error\n";
++	}
++
++	proc_terminate($fpm);
++    stream_get_contents($tail);
++    fclose($tail);
++    proc_close($fpm);
++}
++
++?>
++--EXPECTF--
++[%d-%s-%d %d:%d:%d] NOTICE: fpm is running, pid %d
++[%d-%s-%d %d:%d:%d] NOTICE: ready to handle connections
++bool(true)
++bool(true)
++bool(false)
++IPv4 ok
++--CLEAN--
++<?php
++    $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
++    @unlink($logfile);
++?>
+-- 
+2.54.0
+
+From 630b48523b5a0de368138c421bd3dbae6b0552a0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 19 May 2026 11:25:29 +0200
+Subject: [PATCH] relax test (may fail when script not in status page)
+
+(cherry picked from commit 31ed74945eb92e073b51bd8ca114a123c9c20990)
+---
+ sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+index 55827b1bc8..674b4ddcb3 100644
+--- a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
++++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+@@ -32,9 +32,11 @@ if (is_resource($fpm)) {
+ 
+ 		$html = run_request('127.0.0.1', $port, '/status', 'full&html');
+ 		var_dump(strpos($html, 'text/html') && strpos($html, 'DOCTYPE') && strpos($html, 'PHP-FPM Status Page'));
+-		var_dump(strpos($html, 'alert(1)') && strpos($html, 'alert(2)'));
+-		var_dump(strpos($html, '<script>'));
+-		//var_dump($html);
++
++		// output only if script present but not escaped
++		if (strpos($html, 'alert') && strpos($html, '<script>')) {
++			var_dump($html);
++		}
+ 
+ 		echo "IPv4 ok\n";
+ 	} catch (Exception $e) {
+@@ -52,8 +54,6 @@ if (is_resource($fpm)) {
+ [%d-%s-%d %d:%d:%d] NOTICE: fpm is running, pid %d
+ [%d-%s-%d %d:%d:%d] NOTICE: ready to handle connections
+ bool(true)
+-bool(true)
+-bool(false)
+ IPv4 ok
+ --CLEAN--
+ <?php
+-- 
+2.54.0
+
+From 4abe506a9863ec2f236689fc6b64549cc2fcb260 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 19 May 2026 11:40:42 +0200
+Subject: [PATCH 2/2] fix test name
+
+(cherry picked from commit 16802565461621322e97ba7ac22e2699885ed73a)
+---
+ sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+index 674b4ddcb3..912237c5e2 100644
+--- a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
++++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
+@@ -1,5 +1,5 @@
+ --TEST--
+-FPM: Test status page
++FPM: GHSA-7qg2-v9fj-4mwv - status xss
+ --SKIPIF--
+ <?php include "skipif.inc"; ?>
+ --FILE--
+-- 
+2.54.0
+
diff --git a/php-cve-2026-7261.patch b/php-cve-2026-7261.patch
new file mode 100644
index 0000000..e837601
--- /dev/null
+++ b/php-cve-2026-7261.patch
@@ -0,0 +1,150 @@
+From 7c59254cb466056131b09304c0d1001e6c434fe7 Mon Sep 17 00:00:00 2001
+From: Ilija Tovilo <ilija.tovilo@me.com>
+Date: Sun, 3 May 2026 19:57:16 +0200
+Subject: [PATCH 1/5] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
+ header parsing failure with SOAP_PERSISTENCE_SESSION
+
+Fixes GHSA-m33r-qmcv-p97q
+Fixes CVE-2026-7261
+
+(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
+(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
+(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
+(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022)
+(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1)
+
+adapt test for 7.2
+
+(cherry picked from commit f91bcf961ac15eacabf33f86f62c17dbec4a39ab)
+(cherry picked from commit ab6fa685773d4efea4de2df4956c97ffd65637e2)
+(cherry picked from commit f91ab4e04bc2f254ea1e49e1b76ff55adbbe3892)
+
+adapt test for 5.6
+---
+ ext/soap/soap.c                         | 26 +++++++++--
+ ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 62 +++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 3 deletions(-)
+ create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 569701a469..21f11be7fa 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -1837,7 +1837,17 @@ PHP_METHOD(SoapServer, handle)
+ 					php_output_discard(TSRMLS_C);
+ 					soap_server_fault_ex(function, &h->retval, h TSRMLS_CC);
+ 					efree(fn_name);
+-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(&soap_obj);}
++					if (service->type == SOAP_CLASS && soap_obj) {
++#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
++					    if (service->soap_class.persistance != SOAP_PERSISTENCE_SESSION) {
++						zval_ptr_dtor(&soap_obj);
++						soap_obj = NULL;
++					    }
++#else
++					    zval_ptr_dtor(&soap_obj);
++					    soap_obj = NULL;
++#endif
++					}
+ 					goto fail;
+ 				} else if (EG(exception)) {
+ 					php_output_discard(TSRMLS_C);
+@@ -1852,7 +1862,17 @@ PHP_METHOD(SoapServer, handle)
+ 						soap_server_fault_ex(function, EG(exception), h TSRMLS_CC);
+ 					}
+ 					efree(fn_name);
+-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(&soap_obj);}
++					if (service->type == SOAP_CLASS && soap_obj) {
++#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
++					    if (service->soap_class.persistance != SOAP_PERSISTENCE_SESSION) {
++						zval_ptr_dtor(&soap_obj);
++						soap_obj = NULL;
++					    }
++#else
++					    zval_ptr_dtor(&soap_obj);
++					    soap_obj = NULL;
++#endif
++					}
+ 					goto fail;
+ 				}
+ 			} else if (h->mustUnderstand) {
+@@ -2838,7 +2858,7 @@ static void do_soap_call(zval* this_ptr,
+ 	} zend_catch {
+ 		_bailout = 1;
+ 	} zend_end_try();
+-	
++
+ 	if (SOAP_GLOBAL(encoding) != NULL) {
+ 		xmlCharEncCloseFunc(SOAP_GLOBAL(encoding));
+ 	}
+diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+new file mode 100644
+index 0000000000..ae94c67c96
+--- /dev/null
++++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+@@ -0,0 +1,62 @@
++--TEST--
++GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
++--CREDITS--
++Ilia Alshanetsky (iliaal)
++--EXTENSIONS--
++soap
++session
++--FILE--
++<?php
++
++class Handler {
++  function __call($name, $args) {
++    if ($name == "return") {
++        return new SoapFault('Server', 'denied');
++    } else if ($name == "throw") {
++        throw new SoapFault('Server', 'denied');
++    } else if ($name == "hello") {
++        return 'ok';
++    } else {
++      return new SoapFault("Server","Function $name doesn't exist");
++    }
++  }
++}
++
++session_start();
++
++$srv = new SoapServer(null, ['uri' => 'urn:a']);
++$srv->setClass(Handler::class);
++$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
++
++$x = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
++    <soap:Header>
++        <a:return/>
++    </soap:Header>
++    <soap:Body>
++        <a:hello/>
++    </soap:Body>
++</soap:Envelope>
++XML;
++$srv->handle($x);
++
++$x = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
++    <soap:Header>
++        <a:throw/>
++    </soap:Header>
++    <soap:Body>
++        <a:hello/>
++    </soap:Body>
++</soap:Envelope>
++XML;
++$srv->handle($x);
++
++?>
++--EXPECT--
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+-- 
+2.54.0
+
diff --git a/php-cve-2026-7262.patch b/php-cve-2026-7262.patch
new file mode 100644
index 0000000..30cc1df
--- /dev/null
+++ b/php-cve-2026-7262.patch
@@ -0,0 +1,121 @@
+From 2000ef9d03eec8264287a4bcbd642496fe982f2d Mon Sep 17 00:00:00 2001
+From: Ilija Tovilo <ilija.tovilo@me.com>
+Date: Sat, 25 Apr 2026 00:44:37 +0200
+Subject: [PATCH 2/5] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
+ NULL check
+
+Fixes GHSA-hmxp-6pc4-f3vv
+Fixes CVE-2026-7262
+
+(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
+(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
+(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
+(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33)
+(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115)
+(cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345)
+(cherry picked from commit 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b)
+(cherry picked from commit b1bc3b191eb9ff6ca90f90572ba8fac016163fe9)
+---
+ ext/soap/php_encoding.c                 |  2 +-
+ ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index 0f85ddde1b..40e87f238e 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -2850,7 +2850,7 @@ static zval *to_zval_map(encodeTypePtr type, xmlNodePtr data TSRMLS_DC)
+ 			}
+ 
+ 			xmlValue = get_node(item->children, "value");
+-			if (!xmlKey) {
++			if (!xmlValue) {
+ 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
+ 			}
+ 
+diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+new file mode 100644
+index 0000000000..e46ab2e460
+--- /dev/null
++++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
++--CREDITS--
++Ilia Alshanetsky (iliaal)
++--EXTENSIONS--
++soap
++--FILE--
++<?php
++
++$request = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope
++    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
++    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
++    xmlns:apache="http://xml.apache.org/xml-soap">
++
++    <soap:Body>
++        <test>
++            <map xsi:type="apache:Map">
++                <item><key>hello</key></item>
++            </map>
++        </test>
++    </soap:Body>
++</soap:Envelope>
++XML;
++
++$server = new SoapServer(null, [
++    'uri' => 'urn:test',
++    'typemap' => [['type_name' => 'anything']],
++]);
++$server->addFunction('test');
++function test($m) { return null; }
++$server->handle($request);
++
++?>
++--EXPECT--
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+-- 
+2.54.0
+
+From 873ac18f30679150c499b240062cf8895df7c664 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 7 May 2026 09:01:35 +0200
+Subject: [PATCH 4/5] NEWS from 8.2.31
+
+(cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68)
+(cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4)
+(cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f)
+(cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39)
+(cherry picked from commit 8884e113e8351693eb4b5f1c58485ad0e4508d3a)
+(cherry picked from commit 5cf6ff5fcde53a1a941fea374b483e9ff89a9f9f)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 24fa47ec2b..b46e2b0c5d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.2.31
++
++- SOAP:
++  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
++    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
++  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
++    (CVE-2026-7262) (ilutov)
++
+ Backported from 8.1.31
+ 
+ - CLI:
+-- 
+2.54.0
+
diff --git a/php-fpm.service b/php-fpm.service
index 687dfc0..0712a11 100644
--- a/php-fpm.service
+++ b/php-fpm.service
@@ -4,7 +4,7 @@
 
 [Unit]
 Description=The PHP FastCGI Process Manager
-After=syslog.target network.target
+After=network.target
 
 [Service]
 Type=notify
diff --git a/php.spec b/php.spec
index 121579e..9645f14 100644
--- a/php.spec
+++ b/php.spec
@@ -65,7 +65,7 @@
 %global oraclelib 19.1
 %global oracledir 19.24
 %else
-%global oraclever 23.6
+%global oraclever 23.26.2
 %global oraclemax 24
 %global oraclelib 23.1
 %global oracledir 23
@@ -141,7 +141,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.6.40
-Release: 45%{?dist}
+Release: 46%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -272,6 +272,9 @@ Patch273: php-cve-2024-11234.patch
 Patch274: php-cve-2024-8932.patch
 Patch275: php-cve-2024-11233.patch
 Patch276: php-ghsa-4w77-75f9-2c8w.patch
+Patch277: php-cve-2026-7261.patch
+Patch278: php-cve-2026-7262.patch
+Patch279: php-cve-2026-6735.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1079,6 +1082,9 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
 %patch -P274 -p1 -b .cve8932
 %patch -P275 -p1 -b .cve11233
 %patch -P276 -p1 -b .ghsa4w77
+%patch -P277 -p1 -b .cve7261
+%patch -P278 -p1 -b .cve7262
+%patch -P279 -p1 -b .cve6735
 
 # Fixes for tests
 %patch -P300 -p1 -b .datetests
@@ -1851,7 +1857,7 @@ cat << EOF
 
   WARNING : PHP 5.6 have reached its "End of Life" in
   January 2019. Even, if this package includes some of
-  the important security fixes, backported from 8.1, the
+  the important security fixes, backported from 8.2, the
   UPGRADE to a maintained version is very strongly RECOMMENDED.
 
 =====================================================================
@@ -2029,6 +2035,14 @@ EOF
 
 
 %changelog
+* Tue May 12 2026 Remi Collet <remi@remirepo.net> - 5.6.40-46
+- Fix XSS within status endpoint
+  CVE-2026-6735
+- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+  CVE-2026-7261
+- Fix Broken Apache map value NULL check
+  CVE-2026-7262
+
 * Fri Dec  6 2024 Remi Collet <remi@remirepo.net> - 5.6.40-45
 - Add support for MySQL 8's Unicode types (utf8mb4)
   https://github.com/remicollet/remirepo/issues/280
-- 
cgit