XSS within PHP-FPM status endpoint_CVE-2026-6735

7.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Basic Information

ID CVE-2026-6735

Source php

Published May 10, 2026 at 03:27

Affected Product

Vendor PHP Group

Product PHP

Version 8.2.*

Affected Versions PHP Group PHP 8.2.*
PHP Group PHP 8.3.*
PHP Group PHP 8.4.*
PHP Group PHP 8.5.*

CWE Classification

CWE-79

References

github.com /php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv

{
    "lastseen": "",
    "description": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the\u00a0PHP-FPM status page.",
    "published": "2026-05-10T03:27:00.607Z",
    "modified": "2026-05-10T03:27:00.607Z",
    "type": "cve",
    "title": "XSS within PHP-FPM status endpoint",
    "source": "php",
    "references": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv",
    "id": "CVE-2026-6735",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "PHP Group PHP 8.2.*\nPHP Group PHP 8.3.*\nPHP Group PHP 8.4.*\nPHP Group PHP 8.5.*",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PHP",
    "version": "8.2.*",
    "vendor": "PHP Group",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}