CVE-2026-34743: Medium Severity Flaw Found in Alpine 3.23 PHP Images — xz Package Affected

An automated Trivy security scan has identified an unresolved vulnerability in specific PHP Docker images built on Alpine Linux 3.23, raising concerns for deployments relying on these base versions. The flaw, cataloged as CVE-2026-34743, carries a MEDIUM severity rating and targets the xz and xz-libs packages at versions 5.8.2-r0, which require an upgrade to 5.8.3-r0 to resolve the exposure.

The vulnerability affects four distinct image tags maintained under the ghcr.io/rafalmasiarek/php registry, spanning PHP branches 8.4 and 8.5 in both cli and fpm variants. Affected images include builds tagged with commit sha-60d37c7, running Alpine versions 3.23.3 and 3.23.4. The xz compression utilities are core system components, and their compromise in containerized PHP environments could introduce risks to application integrity and supply chain security, particularly for workloads processing untrusted archives or relying on compressed dependencies.

Security teams using these specific PHP images in production or CI/CD pipelines should audit their deployment manifests immediately. While the MEDIUM severity rating indicates limited immediate risk compared to critical flaws, the pervasiveness of Alpine-based minimal images in modern container infrastructure means any xz vulnerability warrants prompt remediation. The detection source—a GitHub Issues report—suggests the maintainer has been notified, though no patch timeline or updated image tags were listed at time of publication.