CVE-2026-6735

Received

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Severity

Score N/A

Severity UNKNOWN

Timeline

Published May 10, 2026

Modified May 10, 2026

References

https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv