Security Alert: CVE-2026-30935 Persists in Alpine 3.23 PHP Images, Automated Scan Shows Unresolved Risk

An automated Trivy security scan has flagged a persistent, unresolved vulnerability in critical container images. The medium-severity flaw, CVE-2026-30935, remains active in PHP 8.5 images built on the Alpine Linux 3.23.3 base, specifically affecting both the `cli` and `fpm` variants. Despite a rebuild attempt, the vulnerability was not remediated, indicating a systemic patching failure within the upstream Alpine package ecosystem.

The core issue stems from outdated ImageMagick libraries (`imagemagick`, `imagemagick-jpeg`, `imagemagick-libs`) at version `7.1.2.15-r0`. The fixed version, `7.1.2.17-r0`, has not been applied. Two specific container images from the `ghcr.io/rafalmasiarek/php` repository are confirmed as currently vulnerable: the `8.5-cli` and `8.5-fpm` builds. The remediation status report is stark: zero hotfix scripts matched, and the CVE is confirmed present after a rebuild, with the same PHP branches and variants still affected.

This situation signals a significant supply chain security risk. Organizations and developers relying on these container images for production workloads are exposed until the underlying Alpine package maintainers release and propagate the fixed libraries. The persistence of the flaw post-rebuild suggests that simply rebuilding the image is insufficient; direct intervention to force an update to the patched package versions is required. This creates immediate operational pressure for teams to manually verify and harden their deployment pipelines.