Security Alert: High-Severity CVE-2026-32636 in Alpine 3.23 Images Affects PHP 8.5

A critical security scan has flagged a high-severity vulnerability, CVE-2026-32636, that remains unresolved in container images built on Alpine Linux 3.23. The flaw, detected by automated Trivy scans, is actively present in specific PHP 8.5 images, indicating a persistent supply chain risk for developers and deployment pipelines. The vulnerability's continued presence after rebuild attempts signals a failure in standard remediation workflows, leaving affected containers exposed.

The vulnerability is rooted in outdated ImageMagick packages within the Alpine 3.23.3 base layer. Specifically, the `imagemagick`, `imagemagick-jpeg`, and `imagemagick-libs` packages are stuck at version `7.1.2.15-r0`, while the fixed version is `7.1.2.17-r0`. This directly impacts two public container images from the `ghcr.io/rafalmasiarek/php` repository: the `8.5-cli` and `8.5-fpm` variants. The issue is not isolated to a single build; automated checks confirm the CVE persists even after image rebuilds, affecting the same PHP branches and variants.

This situation creates immediate operational pressure for teams using these specific container images in development or production environments. The unresolved status, despite matched hotfix scripts returning zero results, points to a deeper dependency or base image issue that automated patching cannot currently address. It forces manual intervention, requiring users to either pin to a secure upstream base, wait for an official fixed image, or implement alternative mitigation strategies to close the security gap introduced by the vulnerable ImageMagick libraries.