Security Alert: CVE-2026-28689 Persists in Alpine 3.23 PHP Images, Affects ImageMagick

A critical security vulnerability, CVE-2026-28689, remains unresolved in specific PHP container images, posing a persistent medium-severity risk. Automated scans confirm the flaw is still present even after rebuild attempts, indicating a systemic patching failure within the affected software supply chain. This unresolved status leaves deployments exposed to potential exploitation.

The vulnerability is rooted in outdated ImageMagick packages within the Alpine Linux 3.23.3 base image. Specifically, the `imagemagick`, `imagemagick-jpeg`, and `imagemagick-libs` packages at version `7.1.2.15-r0` are affected, with a fixed version available at `7.1.2.17-r0`. The flaw directly impacts PHP 8.5 runtime images, both `cli` and `fpm` variants, distributed via the `ghcr.io/rafalmasiarek/php` repository. Two specific container images with precise SHA256 digests are confirmed to be vulnerable.

The persistence of this CVE after rebuilds signals a breakdown in the standard remediation workflow, where zero hotfix scripts were matched. This creates ongoing operational risk for any service or application relying on these containerized PHP environments. System administrators and DevOps teams must manually verify their image versions and enforce an upgrade to the patched ImageMagick packages to close this security gap.