Security Alert: High-Severity CVE-2026-30929 Persists in Alpine 3.23 PHP Images

A critical security vulnerability, CVE-2026-30929, remains unpatched in widely used PHP container images, exposing deployments to a high-severity risk. An automated Trivy scan has confirmed the flaw persists even after rebuild attempts, indicating a systemic issue within the upstream Alpine Linux 3.23 branch. The vulnerability is rooted in outdated ImageMagick libraries, creating a persistent attack surface for any service running the affected containers.

The flaw specifically targets images based on Alpine Linux version 3.23.3 and PHP branch 8.5, affecting both the `cli` and `fpm` variants. The vulnerable packages—`imagemagick`, `imagemagick-jpeg`, and `imagemagick-libs`—are stuck at version `7.1.2.15-r0`, while the fixed version is `7.1.2.17-r0`. Two specific container images from the `ghcr.io/rafalmasiarek/php` repository are confirmed to be impacted, carrying the vulnerability directly into production environments that rely on them.

The remediation status reveals a concerning failure in the standard patching workflow. Zero hotfix scripts matched the issue, and a rebuild of the images did not resolve the CVE. This signals that the fix must be applied upstream in the Alpine package repositories before downstream images can be secured. Organizations using these containers are advised to monitor Alpine's security advisories closely and consider interim mitigation strategies, as the current images provide no safe version to deploy.