CVE-2026-6735
XSS within PHP-FPM status endpoint
6.1
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
How to fix CVE-2026-6735
To remediate CVE-2026-6735, upgrade the affected package to a fixed version below.
- —upgrade to 8.2.31 or later
- —upgrade to 8.2.31 or later
- —upgrade to 8.2.31 or later
- —upgrade to 7.4.33-1+deb11u11 or later
- —upgrade to 8.2.31-1~deb12u1 or later
- —upgrade to 8.4.21-1~deb13u1 or later
Is CVE-2026-6735 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- from 0, < 7.4.33-1+deb11u11
- from 0, < 8.2.31-1~deb12u1
- from 0, < 8.4.21-1~deb13u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |