CVE-2026-6735

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

History

12 May 2026, 17:43

Type	Values Removed	Values Added
References	~~() https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv -~~	() https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv - Vendor Advisory, Exploit
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:php:php::::::::
First Time		Php Php php

10 May 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-10 05:16

Updated : 2026-05-12 17:43

NVD link : CVE-2026-6735

Mitre link : CVE-2026-6735

CVE.ORG link : CVE-2026-6735

JSON object : View

Products Affected

php

php

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-6735", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@php.net", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-10T05:16:11.213", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv", "tags": ["Vendor Advisory", "Exploit"], "source": "security@php.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@php.net", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it\u00a0allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the\u00a0PHP-FPM status page."}], "lastModified": "2026-05-12T17:43:15.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A892B6FF-F4EB-40C6-8DD0-D2246A71D271", "versionEndExcluding": "8.2.31", "versionStartIncluding": "8.2.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DBBB51D-F0C4-4CEC-9B6B-33D0BF0044A5", "versionEndExcluding": "8.3.31", "versionStartIncluding": "8.3.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA663C03-392C-41CC-BD11-4A1245203C42", "versionEndExcluding": "8.4.21", "versionStartIncluding": "8.4.0"}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6101DA12-5AA1-4882-A52A-61FB74254F9A", "versionEndExcluding": "8.5.6", "versionStartIncluding": "8.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@php.net"}