High-Severity CVE-2026-33636 Exposes PHP Images on Alpine 3.23

A critical security scan has flagged a high-severity vulnerability, CVE-2026-33636, actively present in multiple production-ready PHP container images. The flaw stems from an outdated `libpng` library (version 1.6.55-r0) within the Alpine Linux 3.23.3 base image, for which a fixed version (1.6.56-r0) is available. This unresolved vulnerability creates a direct attack surface for any system running the affected containers.

The exposure is specific to the `ghcr.io/rafalmasiarek/php` repository, impacting both PHP 8.4 and 8.5 branches across their `cli` and `fpm` variants. Four distinct container images, identified by their precise SHA256 digests, are confirmed to be vulnerable. This indicates that deployments pulling these specific image tags are running software with a known, high-risk security gap that could be exploited.

The automated detection by Trivy highlights a persistent supply chain risk where base image dependencies cascade into downstream application containers. While a remediation script has been matched, the status of its actual deployment across the affected images remains unclear. Organizations using these containers must immediately verify their versions and apply the available patch to mitigate potential exploitation.