Security Alert: CVE-2026-34757 in Alpine 3.22 Images Exposes PHP 8.2/8.3 Containers

An automated security scan has flagged a medium-severity vulnerability, CVE-2026-34757, actively present in multiple production-ready PHP container images. The flaw originates from an outdated `libpng` library (version 1.6.55-r0) within the Alpine Linux 3.22.3 base layer, leaving specific PHP 8.2 and 8.3 variants—both `cli` and `fpm`—exposed. This is not a theoretical risk; the vulnerability is confirmed in four distinct container images hosted on GitHub Container Registry under the `rafalmasiarek/php` repository, each tagged with a specific build hash.

The affected images are precise and identifiable: `ghcr.io/rafalmasiarek/php:8.2-cli-sha-cefb0c2`, `ghcr.io/rafalmasiarek/php:8.2-fpm-sha-cefb0c2`, and their 8.3 counterparts. The core issue is the `libpng` package, which has a fixed version available (1.6.57-r0). The presence of this CVE in a foundational system library means any application using these images for processing PNG files could be at risk, though the exact exploit path and impact remain defined by the CVE's details.

The remediation status is currently listed as 'Matched hotfix script,' indicating an automated patch process may be in motion but is not yet confirmed as fully resolved. For development and operations teams relying on these specific container builds, this alert signals an immediate need to verify image versions, check for updated base layers, and apply the fixed `libpng` package to close the security gap before potential exploitation.