Security Alert: High-Severity CVE-2026-33416 in Alpine 3.22 Images Affects PHP 8.2 & 8.3

A critical security scan has flagged a high-severity vulnerability, CVE-2026-33416, actively present in multiple production-ready Docker images. The flaw originates from an outdated `libpng` library within the Alpine Linux 3.22.3 base, leaving containerized PHP applications exposed to potential exploitation. This is not a theoretical risk; automated tooling has confirmed the unresolved vulnerability in specific, tagged images currently hosted on GitHub Container Registry.

The vulnerability directly impacts images built for PHP versions 8.2 and 8.3, across both `cli` and `fpm` variants. The root cause is the `libpng` package version `1.6.55-r0`, which requires an update to the patched version `1.6.56-r0`. Four distinct container images from the `ghcr.io/rafalmasiarek/php` repository are confirmed to be affected, each identified by its full SHA256 hash. This precise mapping indicates the issue is systemic for builds based on this specific Alpine branch and not an isolated configuration error.

The immediate operational risk is significant for any service or deployment pipeline using these compromised images. While a remediation script has been matched, the status indicates the fix has not yet been applied to the published container artifacts. This creates a pressing dependency chain issue: downstream users and automated systems pulling these images are inheriting the vulnerability. The situation demands urgent action from maintainers to rebuild and republish the containers, and from operators to audit their deployments for the listed image digests.