Security Alert: CVE-2026-30937 Persists in Alpine 3.23 PHP Images, Affects ImageMagick

A critical security vulnerability, CVE-2026-30937, remains unresolved in specific PHP container images, posing a persistent medium-severity risk. An automated Trivy scan confirmed the flaw is still present even after a rebuild, indicating a deeper dependency issue within the Alpine Linux 3.23.3 base layer. The vulnerability is tied to outdated ImageMagick packages, creating a direct security exposure for applications using these images.

The flaw specifically affects PHP 8.5 images in both `cli` and `fpm` variants published under the `ghcr.io/rafalmasiarek/php` repository. The core problem resides in three ImageMagick packages (`imagemagick`, `imagemagick-jpeg`, `imagemagick-libs`) all stuck at version `7.1.2.15-r0`. The fixed version, `7.1.2.17-r0`, has not been applied. This leaves the container images `ghcr.io/rafalmasiarek/php:8.5-cli-sha-1f21526` and `ghcr.io/rafalmasiarek/php:8.5-fpm-sha-1f21526` vulnerable.

The remediation status is a significant concern. Zero hotfix scripts matched the issue, and a rebuild of the images failed to resolve the CVE. This signals that the vulnerability is not a simple build artifact but is likely inherited from the upstream Alpine 3.23 package repository. Until the Alpine maintainers release the patched packages or the image maintainer switches base layers, any service or deployment relying on these specific PHP 8.5 images continues to run with an unpatched, known vulnerability in a core image processing library.