code · pull · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/docker/seed/Dockerfile.csharp b/docker/seed/Dockerfile.csharp
@@ -119,12 +119,12 @@ RUN dotnet tool install -g csharpier --version "1.2.6" && \
 </Project>' > /dependencies.csproj && \
     dotnet restore /dependencies.csproj && \
     rm /dependencies.csproj && \
-    # The /dependencies.csproj restore pulls System.Net.Http 4.3.0 back into
-    # the NuGet cache via transitive resolution metadata, even though
-    # System.Net.Http is pinned to [4.3.4,) for actual use. The cached 4.3.0
-    # package contains the netstandard1.x reference assembly (CVE-2018-8292)
-    # and is only kept around for graph resolution -- safe to remove
-    # post-restore.
-    rm -rf /root/.nuget/packages/system.net.http/4.3.0
+    # Drop System.Net.Http 4.3.0 (CVE-2018-8292): the cached package and any
+    # transitive deps.json referencing it (e.g. JmesPath.Net.Parser 1.1.0's
+    # netstandard1.3 build). Runtime only loads the newer-TFM builds.
+    rm -rf /root/.nuget/packages/system.net.http/4.3.0 && \
+    find /root/.nuget/packages -name '*.deps.json' \
+        -exec grep -l '"System.Net.Http/4.3.0"' {} + 2>/dev/null \
+        | xargs -r dirname | sort -u | xargs -r rm -rf
 
 ENTRYPOINT ["tail", "-f", "/dev/null"]
diff --git a/docker/seed/Dockerfile.go b/docker/seed/Dockerfile.go
@@ -16,20 +16,28 @@ RUN apk add --no-cache curl && \
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -45,14 +53,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -106,6 +115,12 @@ RUN set -eux; \
     && tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GOARCH}.tar.gz" \
     && rm "go${GO_VERSION}.linux-${GOARCH}.tar.gz"
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 ENV PATH="/usr/local/go/bin:${PATH}" \
     GOPATH="/go" \
     CGO_ENABLED=0

diff --git a/docker/seed/Dockerfile.php b/docker/seed/Dockerfile.php
@@ -16,21 +16,32 @@
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG COMPOSE_VERSION=5.1.3
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
+# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy
+# github.com/docker/docker indirect dep is frozen at v28.5.2).
+ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -46,14 +57,15 @@
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -76,23 +88,22 @@
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream
-# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a
-# residual since compose has not yet migrated to github.com/moby/moby/v2;
-# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 /
-# CVE-2026-33997 code paths are unreachable at runtime.
+# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
+# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the
+# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the
+# v5.1.3 upstream prebuilt vendors.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \
-    # Compose still vendors github.com/docker/docker v28.5.2+incompatible
-    # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net,
-    # otel/sdk, and docker/docker so the embedded SBOM matches the daemon
-    # version we overlay.
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
+           github.com/docker/docker@${DOCKER_LEGACY_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     CGO_ENABLED=0 go build \
       -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \

diff --git a/docker/seed/Dockerfile.python b/docker/seed/Dockerfile.python
@@ -16,21 +16,32 @@ RUN apk add --no-cache curl && \
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG COMPOSE_VERSION=5.1.3
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
+# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy
+# github.com/docker/docker indirect dep is frozen at v28.5.2).
+ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -46,14 +57,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -76,23 +88,22 @@ RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docke
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream
-# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a
-# residual since compose has not yet migrated to github.com/moby/moby/v2;
-# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 /
-# CVE-2026-33997 code paths are unreachable at runtime.
+# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
+# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the
+# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the
+# v5.1.3 upstream prebuilt vendors.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \
-    # Compose still vendors github.com/docker/docker v28.5.2+incompatible
-    # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net,
-    # otel/sdk, and docker/docker so the embedded SBOM matches the daemon
-    # version we overlay.
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
+           github.com/docker/docker@${DOCKER_LEGACY_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     CGO_ENABLED=0 go build \
       -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \

diff --git a/generators/go/model/Dockerfile b/generators/go/model/Dockerfile
@@ -2,6 +2,12 @@ FROM node:24.15-alpine3.23 AS node
 
 FROM golang:1.26.3-alpine3.23
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
 ARG SENTRY_ENVIRONMENT=production

diff --git a/generators/go/sdk/Dockerfile b/generators/go/sdk/Dockerfile
@@ -42,6 +42,12 @@ FROM golang:1.26.3-alpine3.23
 
 WORKDIR /workspace
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 RUN apk update && apk upgrade --no-cache
 RUN apk add --no-cache ca-certificates git libstdc++
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \

diff --git a/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml b/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml
@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in
+    the go-sdk + go-model containers so they declare `golang.org/x/net
+    v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled
+    `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to
+    the top of `ForeachSetting`), but the stdlib SBOM still pins the
+    pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM
+    metadata to v0.53.0 makes grype reflect the patched code instead of
+    flagging the toolchain as vulnerable.
+  type: chore
diff --git a/generators/go/sdk/versions.yml b/generators/go/sdk/versions.yml
@@ -1,4 +1,18 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 1.41.3
+  changelogEntry:
+    - summary: |
+        Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in
+        the go-sdk + go-model containers so they declare `golang.org/x/net
+        v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled
+        `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to
+        the top of `ForeachSetting`), but the stdlib SBOM still pins the
+        pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM
+        metadata to v0.53.0 makes grype reflect the patched code instead of
+        flagging the toolchain as vulnerable.
+      type: chore
+  createdAt: "2026-05-14"
+  irVersion: 66
 - version: 1.41.2
   changelogEntry:
     - summary: |

diff --git a/generators/php/sdk/Dockerfile b/generators/php/sdk/Dockerfile
@@ -47,6 +47,20 @@ RUN for dir in \
       fi; \
     done
 
+# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g
+# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks.
+RUN for dir in \
+      /usr/local/lib/node_modules/npm/node_modules/ip-address; do \
+      if [ -d "$dir" ]; then \
+        rm -rf "$dir" && \
+        cd "$(dirname "$dir")" && \
+        curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \
+        tar -xzf ip-address-10.2.0.tgz && \
+        mv package ip-address && \
+        rm ip-address-10.2.0.tgz; \
+      fi; \
+    done
+
 RUN curl -fsSL https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/download/v3.94.2/php-cs-fixer.phar -o /usr/local/bin/php-cs-fixer \
     && chmod +x /usr/local/bin/php-cs-fixer \
     && php-cs-fixer --version

diff --git a/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml b/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml
@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to
+    address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML-
+    emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles
+    `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0
+    tarball in place at image build time.
+  type: chore
diff --git a/generators/php/sdk/versions.yml b/generators/php/sdk/versions.yml
@@ -1,4 +1,15 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 2.9.7
+  changelogEntry:
+    - summary: |
+        Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to
+        address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML-
+        emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles
+        `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0
+        tarball in place at image build time.
+      type: chore
+  createdAt: "2026-05-14"
+  irVersion: 66
 - version: 2.9.6
   changelogEntry:
     - summary: |