Home

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

PUBLISHED Reserved 2026-04-21 | Published 2026-05-10 | Updated 2026-05-10 | Assigner php




HIGH: 7.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status
affected

8.2.* (semver) before 8.2.31
affected

8.3.* (semver) before 8.3.31
affected

8.4.* (semver) before 8.4.21
affected

8.5.* (semver) before 8.5.6
affected

Credits

conradfd@proton.me reporter

References

github.com/...hp-src/security/advisories/GHSA-7qg2-v9fj-4mwv

cve.org (CVE-2026-6735)

nvd.nist.gov (CVE-2026-6735)

Download JSON