CVE-2026-6735
PHP-FPM Status Page XSS Vulnerability
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6735 is a Cross-Site Scripting (XSS) vulnerability affecting certain PHP-FPM versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It occurs because the PHP-FPM status page does not properly sanitize user-supplied data in the request URI.
This flaw allows an attacker to craft a malicious URL that, when visited by a user viewing the PHP-FPM status page, causes arbitrary JavaScript code to execute on the user's machine.
The vulnerability can be exploited without authentication by injecting scripts into the URL or XML endpoints, potentially leading to theft of cookies or sensitive information displayed on the status page.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of the PHP-FPM status page.
Such execution can lead to theft of cookies or sensitive data visible on the status page, potentially compromising user sessions or exposing confidential information.
The attack can be triggered simply by visiting a maliciously crafted URL, which means users or administrators viewing the status page could be exposed to this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your PHP-FPM status page is vulnerable to Cross-Site Scripting (XSS) via crafted URLs that inject JavaScript code.
- Attempt to access the PHP-FPM status page with a malicious URI such as: example.com/<script>alert()</script> or example.com/status?full&html to see if the injected script executes.
- Test the XML endpoint by visiting URLs like example.com/< or example.com/status?full&xml to check for parsing errors or unexpected behavior indicating vulnerability.
If the injected scripts execute or parsing errors occur, it indicates the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade PHP-FPM to one of the patched versions: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, or 8.5.6 or later.
Avoid exposing the PHP-FPM status page publicly or restrict access to trusted users only.
Implement proper input sanitization and hardening measures on the server to prevent execution of arbitrary JavaScript code.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-6735 vulnerability allows attackers to execute arbitrary JavaScript code via Cross-Site Scripting (XSS) on the PHP-FPM status page due to improper sanitization of user data.
This XSS vulnerability could lead to theft of cookies or sensitive data from the status page on systems that are not properly hardened.
Such unauthorized access or exposure of sensitive data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
Therefore, if exploited, this vulnerability may result in non-compliance with these standards due to the risk of data leakage or unauthorized data processing.