HIGHCVE-2026-6735Published Modified CNA php
CVE-2026-6735: XSS within PHP-FPM status endpoint
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Metrics
- CVSS v4.0
- 7.3
- Severity
- HIGH
- Fixed in
- 8.2.31
- Affected Products
- 1
Fix available
8.2.318.3.318.4.218.5.6
Affected packages
- PHP Group / PHP< 8.2.31 (from 8.2.*) · < 8.3.31 (from 8.3.*) · < 8.4.21 (from 8.4.*) · < 8.5.6 (from 8.5.*)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:AmberReferences