CVE-2026-6735 PUBLISHED

XSS within PHP-FPM status endpoint

Assigner: php
Reserved: 21.04.2026 Published: 10.05.2026 Updated: 10.05.2026

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, 8.5. before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	PHP Group
Product	PHP
Versions	Default: affected affected from 8.2.* to 8.2.31 (excl.) affected from 8.3.* to 8.3.31 (excl.) affected from 8.4.* to 8.4.21 (excl.) affected from 8.5.* to 8.5.6 (excl.)

Credits

conradfd@proton.me reporter

References

https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)