Back to search
CVE-2026-6735
Published: May 10, 2026
Modified: May 11, 2026
PUBLISHED
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
| Vendor | Product | Versions |
|---|---|---|
PHP Group | PHP | affected 8.2.* - < 8.2.31affected 8.3.* - < 8.3.31affected 8.4.* - < 8.4.21affected 8.5.* - < 8.5.6 |
Weaknesses (CWE)
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now