Executive Summary

CVE-2026-6735 is a Cross-Site Scripting (XSS) vulnerability affecting certain PHP-FPM versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It occurs because the PHP-FPM status page does not properly sanitize user-supplied data in the request URI.

This flaw allows an attacker to craft a malicious URL that, when visited by a user viewing the PHP-FPM status page, causes arbitrary JavaScript code to execute on the user's machine.

The vulnerability can be exploited without authentication by injecting scripts into the URL or XML endpoints, potentially leading to theft of cookies or sensitive information displayed on the status page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of the PHP-FPM status page.

Such execution can lead to theft of cookies or sensitive data visible on the status page, potentially compromising user sessions or exposing confidential information.

The attack can be triggered simply by visiting a maliciously crafted URL, which means users or administrators viewing the status page could be exposed to this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your PHP-FPM status page is vulnerable to Cross-Site Scripting (XSS) via crafted URLs that inject JavaScript code.

• Attempt to access the PHP-FPM status page with a malicious URI such as: example.com/<script>alert()</script> or example.com/status?full&html to see if the injected script executes.
• Test the XML endpoint by visiting URLs like example.com/< or example.com/status?full&xml to check for parsing errors or unexpected behavior indicating vulnerability.

If the injected scripts execute or parsing errors occur, it indicates the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade PHP-FPM to one of the patched versions: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.

Avoid exposing the PHP-FPM status page publicly or restrict access to trusted users only.

Implement proper input sanitization and hardening measures on the server to prevent execution of arbitrary JavaScript code.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-6735 vulnerability allows attackers to execute arbitrary JavaScript code via Cross-Site Scripting (XSS) on the PHP-FPM status page due to improper sanitization of user data.

This XSS vulnerability could lead to theft of cookies or sensitive data from the status page on systems that are not properly hardened.

Such unauthorized access or exposure of sensitive data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

Therefore, if exploited, this vulnerability may result in non-compliance with these standards due to the risk of data leakage or unauthorized data processing.

Useful 0 Not Useful 0