Security Alert: CVE-2026-34757 Persists in Alpine 3.23 PHP Images, Libpng Vulnerability Unresolved

A critical security scan has flagged a persistent, unresolved vulnerability in key PHP container images. The automated Trivy scan detected CVE-2026-34757, a medium-severity flaw, which remains present even after a rebuild of the affected containers. This indicates a systemic issue within the underlying Alpine Linux 3.23.3 base layer, specifically in the `libpng` package, where the installed version `1.6.56-r0` has not been updated to the fixed version `1.6.57-r0`.

The vulnerability directly impacts two major PHP branches, 8.4 and 8.5, specifically in their `fpm` (FastCGI Process Manager) variants. The affected container images are hosted on GitHub Container Registry (ghcr.io) under the repository `rafalmasiarek/php`. The specific tagged images, identified by their SHA256 hashes, continue to carry the vulnerability. The remediation status is clear: zero hotfix scripts were matched, and the CVE is confirmed present after a rebuild triggered by the `build-php-images` workflow.

This persistence creates a tangible security risk for any deployments or services relying on these specific PHP-FPM images. The failure to patch the `libpng` library at the base Alpine layer leaves applications open to potential exploitation. The situation demands immediate attention from developers and infrastructure teams using these containers to manually verify their image sources and apply the necessary upstream fixes from the Alpine package maintainers to mitigate the exposure.