How to patch PHP

Q: How do I check which version of PHP I am running?

Use: php -v —or— phpinfo() for the web SAPI (CLI / phpinfo). Record the result before and after patching to confirm the update applied.

PHP · Web / Runtime · 5 steps · PHP security status → · updated June 2026

PHP security fixes ship within each supported branch. The low-risk move is to update to the newest patch release on your current branch (e.g. 8.3.x → latest 8.3.x); moving up a whole branch (8.2 → 8.3) is a separate, tested upgrade. Branches also reach end-of-life, after which they get no fixes at all.

actively exploited (KEV)

743

tracked CVEs

8.5.7

latest supported

PHP has 3 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.

Check your current version first

Before you patch, record what you're running (CLI / phpinfo):

php -v   —or—   phpinfo() for the web SAPI

Or paste your version into the checker for an instant verdict.

Step by step

Check your version and install method

Run php -v and note how PHP is installed: distro package, a PPA/repo, compiled from source, or a Docker base image.

Patch within your branch first

Update to the latest patch release of your current branch for a low-risk security fix. Plan a branch upgrade (which may need code changes) separately.

Apply the update

Debian/Ubuntu: sudo apt update && sudo apt upgrade (newer branches via the Ondřej Surý PPA). RHEL/Alma/Rocky: dnf module / the Remi repo. Docker: bump the base-image tag and rebuild.

Restart the web stack

Restart PHP-FPM and your web server (e.g. systemctl restart php8.3-fpm nginx) so the new binary is actually serving requests.

Verify

Confirm with php -v on the CLI and via phpinfo() for the web SAPI — they can differ if you run multiple versions.

Watch out for:

Once a PHP branch is end-of-life it gets no security fixes — check your branch’s EOL date and plan ahead.
CLI and web (FPM) can run different PHP versions; verify both.

Official sources

Advisory: PHP supported versions ↗
Download: PHP downloads ↗

Don't patch blind. PHP has 3 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.

PHP security status →

Stay ahead of the next one

PHP security status & health score — score, open CVEs and safe version.
PHP vulnerabilities — the full CVE list and what's exploited.
PHP end-of-life dates — don't run a release that's stopped getting fixes.
Monitor PHP — get an email alert the moment a new exploited vulnerability lands.

Frequently asked questions

What is the latest version of PHP?

As of June 2026, the latest supported PHP release we track is 8.5.7. Patch to the current release on your branch and confirm the version after updating.

How do I check which version of PHP I am running?

Use: php -v —or— phpinfo() for the web SAPI (CLI / phpinfo). Record the result before and after patching to confirm the update applied.

Is PHP being actively exploited right now?

Yes — 3 PHP vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.

How do I patch PHP safely without breaking production?

Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.

Patch steps are general, well-established guidance for PHP — always test in a non-production environment first and follow the official PHP advisory for your exact version. IsItPatched is independent and not affiliated with PHP; this is not a substitute for vendor documentation. See our disclaimer.

← All patching guides · Security guides →