Security Alert: CVE-2026-28686 Affects Alpine 3.23 PHP Images, Automated Scan Shows Unresolved Vulnerability

An automated Trivy security scan has flagged an unresolved medium-severity vulnerability, CVE-2026-28686, within container images built on Alpine Linux 3.23. The vulnerability persists even after a rebuild, indicating a systemic supply chain issue affecting downstream PHP deployments. The flaw is tied to outdated ImageMagick packages, creating a persistent security gap in critical runtime environments.

The vulnerability specifically impacts the `imagemagick`, `imagemagick-jpeg`, and `imagemagick-libs` packages at version `7.1.2.15-r0`. The fixed version is `7.1.2.17-r0`. This exposure directly affects PHP branch 8.5 across both its `cli` and `fpm` variants. Two specific container images from the `ghcr.io/rafalmasiarek/php` repository are confirmed as affected, carrying the Alpine version `3.23.3`. The remediation status is clear: zero hotfix scripts matched the issue, and the CVE remains present after a rebuild, confirming the affected PHP branches and variants are unchanged.

This situation signals a significant supply chain risk for any service or application relying on these specific PHP-Alpine container images. The persistence of the flaw post-rebuild suggests the vulnerability is baked into the base image layer or its package repositories, requiring upstream fixes from the Alpine maintainers. Organizations using these images for development or production face immediate pressure to assess their exposure, monitor for official patches from the Alpine project, and consider interim mitigation strategies to secure their image pipelines.