Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Published: 2026-05-10
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw involves improper sanitation of user data within the PHP‑FPM status endpoint. When an attacker crafts a malicious URL, visiting the status page causes the target's browser to execute arbitrary JavaScript. This allows the attacker to run code in the context of any user who views the page, potentially stealing cookies, session identifiers or performing further actions impersonating that user.

Affected Systems

The vulnerability affects PHP Group’s PHP implementation in versions 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21 and 8.5.x before 8.5.6. Systems running any of these releases that expose the PHP‑FPM status page to users are impacted.

Risk and Exploitability

The CVSS score of 7.3 classifies this as a high‑severity issue. EPSS data is not available, so the likelihood of exploitation cannot be quantified precisely. The vulnerability is not listed in CISA KEV, indicating no known widespread exploitation yet. The attack vector is inferred to be local or remote depending on whether the status page is publicly accessible; an attacker must be able to supply the crafted URL and have a victim view the page to benefit from the XSS.

Generated by OpenCVE AI on May 10, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to the minimum supported patch version for the running release (8.2.31, 8.3.31, 8.4.21 or 8.5.6).
  • If an upgrade is not immediately feasible, restrict or disable the PHP‑FPM status endpoint by updating the pool configuration or using firewall rules to prevent unauthenticated access.
  • As a temporary measure, apply local output escaping or a custom filter to the status page output to ensure all injected data is properly sanitized.

Generated by OpenCVE AI on May 10, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
History

Sun, 10 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Title XSS within PHP-FPM status endpoint
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber'}

Subscriptions

Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-10T03:27:00.607Z

Reserved: 2026-04-21T00:39:47.273Z

Link: CVE-2026-6735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T05:16:11.213

Modified: 2026-05-10T05:16:11.213

Link: CVE-2026-6735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses