CVE-2026-6735
XSS within PHP-FPM status endpoint
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
15th
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
| CWE | CWE-79 |
| Vendor | php group |
| Product | php |
| Published | May 10, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for php group php
Be the first to know when new unknown vulnerabilities affecting php group php are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
PHP Group / PHP
8.2.* < 8.2.31 8.3.* < 8.3.31 8.4.* < 8.4.21 8.5.* < 8.5.6