Security Alert: CVE-2026-30936 Persists in Alpine 3.23 PHP Images, Affects ImageMagick

A critical security vulnerability, CVE-2026-30936, remains unpatched in specific PHP container images, posing a persistent medium-severity risk. Automated scans confirm the flaw is still present even after rebuild attempts, indicating a systemic issue with the underlying Alpine Linux base image. This unresolved exposure centers on outdated ImageMagick libraries, a core tool for image processing, leaving applications vulnerable to potential exploitation.

The vulnerability is confirmed in the `ghcr.io/rafalmasiarek/php` repository, specifically targeting images built on Alpine Linux version 3.23.3. Affected components include PHP 8.5 branches in both `cli` and `fpm` variants. The root cause is traced to three specific packages—`imagemagick`, `imagemagick-jpeg`, and `imagemagick-libs`—all stuck at version `7.1.2.15-r0`. The fixed version, `7.1.2.17-r0`, has not been successfully applied, as remediation scripts have so far failed to address the issue.

This situation signals a breakdown in the standard container security update pipeline. The persistence of the CVE after rebuilds suggests the vulnerability is baked into the base Alpine 3.23 image layer, requiring upstream fixes from the Alpine package maintainers. For developers and organizations relying on these specific PHP images, the ongoing exposure creates operational security pressure, necessitating manual intervention or alternative base images until a patched version is officially propagated through the container registry.