CVE-2026-6735 HIGH

CVE-2026-6735: XSS within PHP-FPM status endpoint

Vendor Php Group

Product PHP

Weakness CWE-79 · XSS

Published May 10, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

What the vulnerability does

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Key dates

Disclosure timeline

May 10, 2026 CVE published

May 11, 2026 Record updated

Identifiers

CVE CVE-2026-6735

CWE CWE-79

CVSS 7.3 / HIGH

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.31

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.31

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.21

Vendor Php Group

Product PHP

Affected ≥ 8.5.* and < 8.5.6