Zend Server 2021.4.5

Maintenance release, fixing CVE security issues for PHP.

Backported CVE fixes

  • PHP versions 7.4.33.13, 7.3.33.19, 7.2.34.27, 7.1.33.29

  • FPM

    • Fixed GHSA-7qg2-v9fj-4mwv: XSS within status endpoint. (CVE-2026-6735) (Jakub Zelenka)

  • SOAP

    • Fixed GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL (ref_map) pointer with Apache Map. (CVE-2026-6722) (ilutov)
    • Fixed GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION. (CVE-2026-7261) (ilutov)
    • Fixed GHSA-hmxp-6pc4-f3vv: Broken Apache map value NULL check. (CVE-2026-7262) (ilutov)

  • Standard

    • Fixed GHSA-96wq-48vp-hh57: Signed integer overflow of char array offset. (CVE-2026-7568) (TimWolla)
    • Fixed GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to ctype.h functions. (CVE-2026-7258) (ilutov)