State of PHP 2026

PHP celebrated its 30th anniversary in 2025 while shipping PHP 8.5 with the pipe operator, clone with modifications, and a native URI extension. FrankenPHP gained official PHP Foundation support, delivering benchmark results showing ~15,000 req/sec vs PHP-FPM's ~4,000 in worker mode, becoming an alternative runtime backed by the Foundation. The ecosystem achieved 89% PHP 8.x adoption while PHP powered ~72% of websites with detectable server-side languages—though PHP dropped out of TIOBE's top 10 in April 2024, ranking #13 in January 2025 and #15 by January 2026.

Laravel and Symfony executed vertical integration strategies: Laravel 12 launched with zero breaking changes alongside Laravel Cloud and Nightwatch monitoring, while Symfony released 7.4 LTS and 8.0 simultaneously with identical features but diverging support paths. Security defined the year's challenges: Livewire's critical RCE (CVE-2025-54068, CVSS v4.0 9.2 / v3.1 9.8) with 130,000+ public Livewire instances detected (vulnerable subset depends on version/configuration), while 600+ Laravel apps were exposed via leaked APP_KEY values on GitHub. The PHP Foundation commissioned its first security audit in over a decade, managed an $900,000 budget with 10 part-time/full-time developers, and began searching for its first full-time Executive Director.

Jan 13 — PHP 8.3.16 released with bug fixes.

Jan 16 — PHP 8.4.3 released with bug fixes.

Jan 16-17 — SymfonyOnline 2025 opened the year's conference calendar.

Jan 29 — Twig CVE-2025-24374 disclosed: missing output escaping in null coalesce operator (??), medium-severity XSS affecting Twig versions prior to 3.19.0. Fixed in Twig 3.19.0.

Jan — Laravel Herd 1.14 set PHP 8.4 as default for new installations, added Expose 3.0 integration, herd ini CLI command. PHPStan 2.1.x releases refined PHP 8.4 Property Hooks support from November 2024's Level 10 launch.

Jan — Pest 3.0 introduced native Mutation Testing—automatically modifies source code to ensure tests fail when logic changes, preventing false-positive tests.

Feb 3-4 — Laracon EU 2025 in Amsterdam drew 700+ attendees. Taylor Otwell demonstrated Laravel Cloud, Jess Archer presented Nightwatch, Aaron Francis announced Fusion (PHP inside Vue.js components).

Feb 13 — PHP 8.3.17 and 8.4.4 released with bug fixes.

Feb 19 — PHP UK Conference 20th anniversary in London featuring Daniel Terhorst-North's keynote on 20 years of BDD.

Feb 24 — Laravel 12 released—first major version with zero breaking changes. New starter kits (React, Vue, Livewire 3), WorkOS AuthKit integration, Carbon 3.x requirement, PHP 8.2-8.4 compatibility.

Mar 5 — Laravel CVE-2025-27515 disclosed: file validation bypass with wildcards (files.*) affecting versions prior to 10.48.29, 11.44.0. Fixed in 10.48.29, 11.44.1, 12.1.1.

Mar 8-9 — Laracon India 2025 in Gandhinagar drew 2,500+ attendees from 20+ countries—first official Laracon India.

Mar 13 — Coordinated security release: PHP 8.1.32, 8.2.28, 8.3.19, 8.4.5—first 2025 releases for PHP 8.1 and 8.2 (both in security-only mode). All versions address CVE-2025-1219—libxml streams vulnerability where redirected HTTP resources may be parsed with the wrong charset due to header handling, potentially bypassing validation.

Mar 17 — SymfonyDay Chicago included tribute to Ryan Weaver, who would pass away in August.

Mar 27-28 — SymfonyLive Paris 2025 kicked off Symfony's 20th anniversary celebrations.

Mar 29 — CakePHP 5.2.0 released with cake counter_cache command and nativeuuid type for MariaDB.

Mar 31 — PHP Foundation published 2024 Transparency Report: 683,550 in donations, plans to spend up to 900,000 on developer compensation in 2025.

Mar — PXP project archived—Ryan Chandler's PHP superset experiment (analogous to TypeScript for JavaScript) ceased development. The decision reflected PHP core's accelerated velocity—features PXP aimed to provide were either being implemented natively or handled by static analysis tools like PHPStan, signaling that PHP innovation belongs within the engine itself rather than fragmented dialects.

Apr 3-4 — SymfonyLive Berlin previewed Symfony 7.3 features.

Apr 4 — Composer 2.8.8 released.

Apr 10 — PHP Foundation published first comprehensive security audit results in over a decade. Commissioned via Sovereign Tech Agency, conducted by Quarkslab/OSTIF. Found 27 issues (17 with security implications), 4 CVEs issued, 3 high-severity. All addressed prior to publication.

Apr 10 — PHP 8.3.20 and 8.4.6 released as bug fix releases, incorporating fixes developed during the security audit process.

Apr — Passbolt joined PHP Foundation as Silver sponsor.

Apr 16 — PyCharm 2025.1 merged Professional and Community editions, making core features (including Jupyter) free.

May 15 — FrankenPHP became officially supported by The PHP Foundation. Project moved to official PHP GitHub organization. Independent benchmarks showed ~15,000 req/sec vs PHP-FPM's ~4,000 in specific test conditions; Sylius analysis demonstrated 80% response time reduction with worker mode (performance gains vary by application architecture). Version 1.5 introduced thread autoscaling—dynamic worker thread spawning based on traffic load (mirroring PHP-FPM's pm.dynamic but with Go routine overhead). "Mostly static" binary builds enable compiling application code, PHP runtime, extensions, and web server into single portable binaries.

May 15-16 — phpDay 2025 in Verona—22nd edition, hybrid attendance.

May 19 — Symfony UX CVE-2025-47946: unsanitized HTML attribute injection in symfony/ux-twig-component prior to 2.25.1, enabling XSS.

May 20-22 — php[tek] 2025 in Chicago celebrated 17th year. Security theme: "Developer Enablement"—moving from gatekeeping to paving the road.

May 25 — Laravel lomkit/laravel-rest-api CVE-2025-48490 disclosed: multiple validations for same attribute could be silently overridden in versions prior to 2.13.0.

May 29 — Symfony 7.3 released with three new components: JsonStreamer, ObjectMapper, JsonPath. Added invokable commands with PHP attributes, asset pre-compression, native PHP 8.4 lazy object support.

Jun 5 — PHP 8.3.22 and 8.4.8 released with bug fixes.

Jun 8 — PHP's 30th anniversary. PHP Foundation announced FrankenPHP move to official GitHub organization.

Jun 12-13 — SymfonyOnline June 2025 featured keynote "Symfony in 2025: Scaling to Zero"—performance initiative for serverless environments.

Jun 16 — Laravel Nightwatch shipped—monitoring solution with minimal performance impact (buffering data until 8 MB or 10 seconds), battle-tested on Laravel Forge for two months before public release.

Jun 17 — JetBrains PHPverse 2025—free online conference celebrating PHP's 30th with 26,000+ attendees worldwide. Featured talks by core contributors and PHP 8.5 release managers.

Jun 17 — PIE 1.0.0 released—PHP Installer for Extensions, modernizing PECL replacement. Spearheaded by James Titcumb ("asgrim").

Jun 28 — PHP Conference Japan 2025 in Tokyo drew 875 of 1,700 registered attendees.

Jun 28 — Doctrine ORM 3.4.0 released with native lazy object support and PHP 8.4 property hooks compatibility.

Jul 3 — PHP 8.4.10 released (security); 8.4.9 was skipped because it was tagged without including security patches. Coordinated security release: PHP 8.1.33, 8.2.29, 8.3.23, 8.4.10 addressing CVE-2025-1220 (Low severity)—fsockopen() null byte hostname validation bypass—and CVE-2025-1735—PostgreSQL driver string escaping flaw. PHP 8.5.0 Alpha 1 released.

Jul 11 — PHP Foundation announced pipe operator (|>) for PHP 8.5—Larry Garfield's third RFC attempt succeeded. Implementation by Ilija Tovilo and Arnaud Le Blanc. Foundation called it "one of the highest 'bangs for the buck' of any feature in recent memory".

Jul 17 — PHP 8.5.0 Alpha 2 released (Alpha 3 planned for Jul 31).

Aug 1 — PHP 8.5.0 Alpha 4 released.

Jul 17 — Livewire CVE-2025-54068 disclosed: critical RCE (CVSS v4.0 9.2 / v3.1 9.8) in Livewire 3.0.0-beta.1 through 3.6.3. Unauthenticated attackers could execute arbitrary PHP code via component property hydration. BuiltWith detected 130,000+ public Livewire instances; vulnerable subset depends on version/configuration. Fixed in 3.6.4.

Jul 29-30 — Laracon US 2025 in Denver. Major announcements: Laravel Cloud enhancements (MySQL backups, Preview Environments, WebSockets GA, Canada region), Laravel Forge 2.0 (complete rebuild, zero-downtime deployments, Laravel VPS), Livewire 4 preview (Blaze Rendering Engine—3× faster UIs), Pest 4 announcement (Playwright browser testing).

Aug 5 — PHP Foundation published Gina Banyard's compile-time generics proposal—interfaces/abstract classes only, avoiding runtime overhead. Community response mixed; no immediate RFC vote.

Aug 14 — PHP 8.5.0 Beta 1 released. Beta 2 (Aug 28), Beta 3 (Sep 11) followed.

Aug 21 — Pest 4.0 launched at Laravel Live Denmark with 39M+ installs (up from 18M in 2024). Playwright browser testing, visual regression, test sharding, built on PHPUnit 12, requires PHP 8.3+.

Aug 23 — Guzzle 7.10.0 released with PHP 8.5 support.

Aug 24 — Slim Framework 4.15.0 released.

Aug 28 — PHP 8.3.25 and 8.4.12 maintenance releases.

Aug — FrankenPHP reached 10,000 GitHub stars.

Aug — PHP and Symfony communities mourned loss of Ryan Weaver, who passed away after battling brain cancer. SymfonyCasts founder, Symfony Core Team member, beloved educator.

Sep 5 — PHP Foundation announced collaboration with Anthropic and Symfony on official PHP SDK for Model Context Protocol (MCP). Brings AI integration capabilities to PHP applications.

Sep 11 — PHP 8.5.0 Beta 3 released.

Sep 14 — Laracon Online—free YouTube-streamed event with 8 main talks, 10 lightning talks.

Sep 18 — API Platform 4.2 released: JsonStreamer integration (~32.4% req/sec increase), ObjectMapper integration, FrankenPHP support (3× more req/sec in worker mode), enhanced Laravel integration (124 PRs).

Sep 25 — PHP 8.5.0 RC1 released alongside PHP 8.3.26 and 8.4.13 maintenance releases.

Sep 25 — Joe Watkins (pthreads creator) joined PHP Foundation as contractor. Expertise applied to Streams API rework.

Sep 29 — pandas 2.3.3 released—first release supporting Python 3.14 including 3.14t wheels.

Oct 1 — Laravel Forge 2.0 launched—biggest update since 2014. Zero-downtime deployments, Laravel VPS, sub-10-second provisioning, health checks, JSON:API compliance.

Oct 7-8 — React Conf 2025: React Foundation announced, React Compiler 1.0 stable.

Oct 9 — PHP 8.5.0 RC2 released. RC3 (Oct 23), RC4 (Nov 6), RC5 (Nov 13) followed.

Oct 9-10 — Forum PHP 2025 in Paris drew 700+ attendees.

Oct 10 — PHP Foundation announced new URI Extension for PHP 8.5—modern URL parsing following RFC 3986/WHATWG standards, developed through collaboration with Symfony and community contributors.

Oct — State of PHP 2025 survey published (1,720 respondents): 89% using PHP 8.x, 64% Laravel, 36% PHPStan (+9 points YoY), 17% Pest (+4 points), 68% PhpStorm (+10%), 95% tried AI-assisted coding, 80% use AI tools regularly.

Oct — Doctrine team announced ORM 2.x support extended to February 2027 (from February 2026).

Oct — Sovereign Tech Agency announced second PHP investment: funding for stream layer rework.

Nov 10 — PHP Foundation announced search for new Executive Director. Roman Pronskiy stepping down after founding role. Application deadline: December 15, 2025.

Nov 13-14 — Laracon AU 2025 in Brisbane.

Nov 20 — PHP 8.5.0 GA released on schedule. Features: pipe operator (|>), clone with, URI Extension, array_first()/array_last(), #[\NoDiscard] attribute, fatal error backtraces, OPcache always compiled in. Branded "Smarter, Faster, Built for Tomorrow". PHP 8.4 remains in active support until December 31, 2026.

Nov 20 — PHP 8.3.28 and 8.4.15 maintenance releases.

Nov 27 — Symfony 7.4 LTS and 8.0 released simultaneously with identical features. 7.4 LTS: bug fixes until 2028, security until 2029, requires PHP 8.2+. 8.0: requires PHP 8.4.0+, removes deprecated code. New features include native FrankenPHP worker-mode integration, caching HTTP client, video constraint, multi-step forms.

Nov 27-28 — SymfonyCon Amsterdam 2025 drew 1,200+ attendees for Symfony's 20th anniversary. Fabien Potencier keynote: "20 Years of Symfony, What's Next?"

Nov — WordPress 7.0 officially pushed to 2026. Official schedule proposed: Beta Feb 19, RC Mar 19, GA Apr 9, 2026. Legal issues and WP Engine lawsuit introduced governance uncertainties; Automattic reduced sponsored contributions in January 2025 before resuming fuller engagement in May.

Dec 2 — WordPress 6.9 "Gene" released with major features: Notes (inline collaboration), Abilities API for granular permissions, Pattern Zoom for full-screen editing, Font Library enhancements, 90+ block improvements.

Dec 3 — Django 6.0 released—20 years, 447 releases. Template partials, built-in background tasks, CSP.

Dec 4 — Xdebug 3.5.0 released with PHP 8.5 support, native path mapping, Windows Named Pipes.

Dec 8 — PHP Foundation confirmed partial function application for PHP 8.6. Unanimously accepted 33-0-0. Complements pipe operator, enables currying/deferred arguments.

Dec 9 — Anthropic donated MCP to Linux Foundation, establishing Agentic AI Foundation (AAIF) with vendor-neutral governance. Strengthens Go/PHP MCP SDK investments.

Dec 15 — JupyterLab 4.5.1 released with bug fixes.

Dec 18 — Final 2025 coordinated security releases: PHP 8.1.34 (final release—8.1 EOL Dec 31), 8.2.30 (4 security bugs), 8.3.29 (CVE-2025-14177, 14178, 14180), 8.4.16 (4 CVEs), 8.5.1 (first 8.5 security patch). Notable vulnerabilities included: CVE-2025-14180 (PDO PostgreSQL NULL pointer deref), CVE-2025-14178 (heap buffer overflow in array_merge(), CVSS 6.5 MEDIUM), CVE-2025-14177 (getimagesize() uninitialized heap memory leak).

Dec 24 — Symfony AI v0.1.0 tagged with 75+ packages, 25+ AI provider connectors, MCP integration—2,000+ commits from 80+ contributors.

Dec 25 — Rector 2.3.0 released with FileNode for file-level changes.

Dec 31 — PHP 8.1 reached end of life after 4 years. Major hosting providers forced automatic upgrades to PHP 8.4. Triggered massive Q3/Q4 migration effort.

Dec 31 — Yii 3.0 officially released after years of development. Complete architectural rewrite: container-based, PSR-7/11/15 compliant, worker mode support (RoadRunner, Swoole, FrankenPHP), three templates (Web, API, Console).

PHP core addressed six CVEs in 2025, including CVE-2025-1219 (libxml charset bypass), CVE-2025-1735 (PostgreSQL escaping flaw, CNA CVSS 5.9 / NIST 7.5), and December's cluster including CVE-2025-14178 (array_merge() overflow) and CVE-2025-14180 (PDO PostgreSQL NULL deref). Framework vulnerabilities ranged from Twig's XSS via null coalesce (fixed in 3.19.0) to Livewire's critical RCE (CVSS v4.0 9.2 / v3.1 9.8, fixed in 3.6.4), with 130,000+ public instances detected. 600+ Laravel apps were exposed via leaked APP_KEY values on GitHub.

The PHP Foundation's first comprehensive audit in over a decade found 27 issues, issuing 4 CVEs. Enterprise adoption remained strong: Slack documented PHP-to-HHVM transitions, Vimeo detailed static analysis (Psalm) for millions of legacy lines, and Wikipedia continued MediaWiki's PHP 8.x migration.

PHP powered ~72% of websites with detectable server-side languages as of January 9, 2026, with 89% developer adoption of PHP 8.x per JetBrains. TIOBE rankings dropped from #13 (Jan 2025) to #15 (Jan 2026) after exiting the top 10 in April 2024. Framework adoption showed Laravel at 64%, Symfony 23%, WordPress 25%, with rising tooling: PHPStan 36% (+9 points) and Pest 17% (+4 points).

Laravel took over Inertia.js stewardship to complete vertical integration—framework, Laravel Cloud deployment, Forge 2.0, Nightwatch monitoring, Pest testing, and Inertia/Livewire frontends—positioning as a Vercel/Heroku competitor with framework-aware optimizations. Symfony 7.3 shipped JsonStreamer and ObjectMapper for memory-efficient APIs, then released 7.4 LTS and 8.0 simultaneously with identical features but diverging support (7.4: security until 2029; 8.0: requires PHP 8.4+).

PHPStan 2.0's Level 10 targeting mixed types became a quality badge for open-source packages, with list<T> types distinguishing sequential from associative arrays. Pest 3 added native mutation testing to prevent false-positive tests; Pest 4 (39M+ installs, up from 18M in 2024) added Playwright browser testing and visual regression. composer audit integration became standard in CI/CD pipelines.

Managed $900,000 budget (up from $683,550 in 2024 donations from 658 sponsors) with 550+ donations in 2025. Key initiatives included the security audit (27 issues, 4 CVEs), FrankenPHP official support, PHP MCP SDK (Anthropic/Symfony collaboration), PIE 1.0 (PECL replacement), and Sovereign Tech Agency-funded stream layer improvements. The 10-developer team (expanding to 12 in 2026) includes Arnaud Le Blanc, Gina Peter Banyard, Ilija Tovilo, James Titcumb, and Joe Watkins (joined September). The Foundation began searching for its first full-time Executive Director.

Major gatherings included Laracon India (2,500+, first official), SymfonyCon Amsterdam (1,200+, Symfony's 20th), JetBrains PHPverse (26,000+ online, PHP's 30th), Laracon EU (700+), and Forum PHP (700+). Japan hosted 10+ regional conferences including PHP Conference Hiroshima (first edition) and Fukuoka (10th/final).

When: November 2026.

Context: Partial function application unanimously accepted 33-0-0 for PHP 8.6. Enables placeholder syntax (?) for partial callable application, complementing the pipe operator. For example: $addFive = add(?, 5); $result = $addFive(3); returns 8. Works hand-in-hand with pipe operator to bring functional patterns natively to PHP. Additional features likely: clamp() function, potential async improvements, continued JIT enhancements.

Action: Test partial application patterns in development. Plan migration timeline from 8.3/8.4 to 8.6. Audit codebase for opportunities to leverage functional composition.

When: Monitor through 2026.

Context: While Python 3.14's GIL-optional builds showed the path forward, PHP's ecosystem hasn't announced similar plans. However, FrankenPHP's worker mode already delivers multi-request state reuse without traditional threading. The performance gains (3.5×) suggest alternative concurrency models may be more pragmatic for PHP than GIL removal.

Action: Evaluate FrankenPHP for CPU-bound workloads. Monitor PHP internals discussions for any async/concurrency proposals targeting PHP 9.0.

When: Official schedule: Beta February 19, RC March 19, GA April 9, 2026.

Context: Major version delayed from late 2025 due to WP Engine legal issues. Automattic reduced sponsored contributions in January 2025 before resuming fuller engagement in May. WordPress 6.9 shipped December 2, 2025 with major features (Notes collaboration, Abilities API, Pattern Zoom). Version 7.0 will likely build on Gutenberg phase 3 collaborative editing capabilities and possibly require higher PHP baseline. WordPress powers ~43% of all websites—making this launch critical for PHP ecosystem health.

Action: Plan WordPress 7.0 testing for staging environments starting with Beta (Feb 19). If on WordPress 6.x, prepare migration strategy. Monitor WordPress governance stabilization. Test against Beta and RC releases before April 9 GA.

When: Now through 2026.

Context: Official PHP Foundation support validates FrankenPHP as production-ready. Benchmarks show 3.5× performance improvements, 80% response time reduction, and 15,000 req/sec vs PHP-FPM's 4,000. Native HTTP/2, HTTP/3, automatic HTTPS. Worker mode keeps application kernel in memory across requests.

Action: Pilot FrankenPHP in non-critical environments. Benchmark against existing PHP-FPM setup. Evaluate for Laravel/Symfony applications with high traffic or cost-sensitive deployments. Consider static binary builds for simplified distribution.

When: Early 2026.

Context: Search announced November 10, 2025 for first full-time Executive Director after Roman Pronskiy stepped down. Application deadline: December 15, 2025. New leadership will coordinate $900,000 budget, 12 developers (expanding from 10), and growing ecosystem initiatives. Critical for long-term sustainability and strategic direction.

Action: Organizations using PHP commercially should consider PSF-style sponsorship or Supporting Membership. Monitor new ED's priorities and Foundation roadmap announcements.

When: April 2026.

Context: Django 5.2 LTS released April 2025 with security updates through April 2028. Multiple SQL injection vulnerabilities patched in 2025—staying current is security-critical. 75% use latest stable for new projects.

Action: If on Django 4.x, plan migration to 5.2 LTS before April 2026 EOL. Test Composite Primary Keys support and new features. Review security bulletins for vulnerabilities affecting older versions.

When: Monitor through 2026 for potential PHP 8.6 or 9.0 inclusion.

Context: Gina Banyard's compile-time generics proposal (August 2025) targets interfaces/abstract classes only to avoid runtime overhead. Community response mixed—supporters say 80% of benefits for 20% of work, skeptics warn of "half-baked" permanent limitations. No RFC vote yet.

Action: Monitor PHP internals discussions. Prepare feedback if RFC voting opens. Evaluate impact on type-heavy codebases and static analysis tooling.

When: Ongoing through 2026.

Context: Laravel took over stewardship of Inertia.js, solidifying "Modern Monolith" strategy. Laravel Cloud, Forge 2.0, Nightwatch create vertically integrated platform. Laravel 13 expected Q1 2026 with likely deeper PHP 8.5/8.6 feature integration.

Action: Evaluate Laravel Cloud for new deployments vs. traditional VPS/container strategies. Plan Laravel 13 upgrade path. Consider Inertia.js for hybrid React/Vue architectures now that it's officially part of Laravel ecosystem.

When: Now.

Context: Python 3.14 ships Sigstore-only signing and includes SBOMs. PHP ecosystem modernizing similarly. 600+ Laravel apps exposed via GitHub APP_KEY leaks demonstrated secrets management risks.

Action: Verify Sigstore signatures for PHP releases. Audit dependency sources. Pin versions with hashes in composer.lock. Implement secrets scanning in CI/CD. Never commit .env files or APP_KEY values to public repositories.

When: Potential announcement/roadmap in 2026 for future release.

Context: License update proposal targets PHP 9.0—changing to Modified BSD License (BSD-3-Clause) to resolve decades of legal ambiguity and GPL incompatibility. The custom "PHP License" created compatibility issues with GPL software and corporate legal departments. BSD-3-Clause adoption would align PHP with modern open-source standards, critical for long-term enterprise adoption.

Breaking changes accumulating for PHP 9.0:

Action: Monitor RFC discussions for PHP 9.0 timeline. Audit codebases for deprecated patterns. Plan modernization strategy to minimize PHP 9.0 migration friction. Review legal implications of license change with counsel if deploying PHP in proprietary systems.

When: Evaluate in 2026.

Context: Pest 4 launched with 39M+ installs (up from 18M in 2024), 17% usage (+4 points YoY). Playwright browser testing, visual regression, test sharding. PHPUnit still at 50% but Pest gaining framework adoption momentum.

Action: Evaluate Pest for new projects. Consider migration from PHPUnit for teams valuing developer experience and modern syntax. Test browser testing features if E2E coverage is requirement.

When: Ongoing through 2026.

Context: PHP Foundation's official MCP SDK enables PHP applications to expose tools to AI systems. MCP donated to Linux Foundation (Agentic AI Foundation) with vendor-neutral governance strengthens long-term viability.

Action: Evaluate MCP SDK for exposing PHP APIs to AI agents. Test integration patterns for Laravel/Symfony applications. Monitor MCP spec updates and tooling ecosystem growth.

The PHP Foundation outlined 2026 strategic priorities: