XSS via PHP-FPM Status Page (PHP < 8.5.6, 8.4.21, 8.3.31, 8.2.31)
CVE-2026-6735 Published on May 10, 2026
XSS within PHP-FPM status endpoint
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-6735 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-6735
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
PHP Group PHP:- Version 8.2.* and below 8.2.31 is affected.
- Version 8.3.* and below 8.3.31 is affected.
- Version 8.4.* and below 8.4.21 is affected.
- Version 8.5.* and below 8.5.6 is affected.