XSS Vulnerability in PHP-FPM Status Page Affects PHP Versions
CVE-2026-6735

7.3HIGH

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2026-6735?

An XSS vulnerability exists in the PHP-FPM status page across multiple PHP versions, stemming from inadequate sanitization of user-provided data. This weakness allows attackers to craft a malicious URL that, when accessed by a user, can trigger the execution of arbitrary JavaScript on their machine, leading to potential data breaches or compromise. It is critical for users of affected PHP versions, particularly in environments where the PHP-FPM status page is accessible, to apply necessary updates and mitigate this risk.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-7...

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

conradfd@proton.me

CVE-2026-6735 Data

JSON