EasyApache4 v25.58 PHP Security Release

WebPros has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

• ea-php82
• EA-13427: Update ea-php82 from v8.2.30 to v8.2.31

• ea-php83
• EA-13428: Update ea-php83 from v8.3.30 to v8.3.31

• ea-php84
• EA-13429: Update ea-php84 from v8.4.20 to v8.4.21

• ea-php85
• EA-13430: Update ea-php85 from v8.5.5 to v8.5.6

• (CVE-2026-6735) Fixed GHSA-7qg2-v9fj-4mwv (XSS within FPM status endpoint)
• (CVE-2026-7259) Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in mb_ereg_search_init())
• (CVE-2025-14179) Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in PDO_Firebird)
• (CVE-2026-6722) Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL ref_map pointer)
• (CVE-2026-7261) Fixed GHSA-m33r-qmcv-p97q (Use-after-free in SOAP persistence session)
• (CVE-2026-7262) Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check in SOAP)
• (CVE-2026-7568) Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset)
• (CVE-2026-7258) Fixed GHSA-m8rr-4c36-8gq4 (Unsigned char handling in ctype.h functions)