https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=php:5.6&search_type=all

: The PHP 5 ChangeLog provides the definitive list of bugs fixed in the 5.6.40 release.

This critical vulnerability occurs in mbstring regular expression functions when they are supplied with invalid multibyte data. It can allow a remote attacker to compromise the target system.

There is no permanent security fix for PHP 5.6.40 other than upgrading.

Let’s get straight to the point: