{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6735","assignerOrgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","state":"PUBLISHED","assignerShortName":"php","dateReserved":"2026-04-21T00:39:47.273Z","datePublished":"2026-05-10T03:27:00.607Z","dateUpdated":"2026-05-11T13:25:54.957Z"},"containers":{"cna":{"providerMetadata":{"orgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","shortName":"php","dateUpdated":"2026-05-10T03:27:00.607Z"},"title":"XSS within PHP-FPM status endpoint","datePublic":"2026-05-07T12:56:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"affected":[{"vendor":"PHP Group","product":"PHP","versions":[{"status":"affected","version":"8.2.*","lessThan":"8.2.31","versionType":"semver"},{"status":"affected","version":"8.3.*","lessThan":"8.3.31","versionType":"semver"},{"status":"affected","version":"8.4.*","lessThan":"8.4.21","versionType":"semver"},{"status":"affected","version":"8.5.*","lessThan":"8.5.6","versionType":"semver"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it&nbsp;<span>allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the&nbsp;</span><span>PHP-FPM status page.</span></p>"}]}],"references":[{"url":"https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","Safety":"PRESENT","Automatable":"YES","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"LOW","providerUrgency":"AMBER","version":"4.0","baseSeverity":"HIGH","baseScore":7.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber"}}],"credits":[{"lang":"en","value":"conradfd@proton.me","type":"reporter"}],"source":{"advisory":"https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9f","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T13:25:43.011891Z","id":"CVE-2026-6735","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T13:25:54.957Z"}}]}}