Medium severity6.1NVD Advisory· Published May 10, 2026· Updated May 12, 2026
CVE-2026-6735
CVE-2026-6735
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
44- osv-coords42 versionspkg:apk/chainguard/php-8.2pkg:apk/wolfi/php-8.2pkg:bitnami/libphppkg:bitnami/phppkg:bitnami/php-minpkg:rpm/almalinux/apcu-panelpkg:rpm/almalinux/libzippkg:rpm/almalinux/libzip-develpkg:rpm/almalinux/libzip-toolspkg:rpm/almalinux/phppkg:rpm/almalinux/php-bcmathpkg:rpm/almalinux/php-clipkg:rpm/almalinux/php-commonpkg:rpm/almalinux/php-dbapkg:rpm/almalinux/php-dbgpkg:rpm/almalinux/php-develpkg:rpm/almalinux/php-embeddedpkg:rpm/almalinux/php-enchantpkg:rpm/almalinux/php-ffipkg:rpm/almalinux/php-fpmpkg:rpm/almalinux/php-gdpkg:rpm/almalinux/php-gmppkg:rpm/almalinux/php-intlpkg:rpm/almalinux/php-ldappkg:rpm/almalinux/php-mbstringpkg:rpm/almalinux/php-mysqlndpkg:rpm/almalinux/php-odbcpkg:rpm/almalinux/php-opcachepkg:rpm/almalinux/php-pdopkg:rpm/almalinux/php-pearpkg:rpm/almalinux/php-pecl-apcupkg:rpm/almalinux/php-pecl-apcu-develpkg:rpm/almalinux/php-pecl-redis6pkg:rpm/almalinux/php-pecl-rrdpkg:rpm/almalinux/php-pecl-xdebug3pkg:rpm/almalinux/php-pecl-zippkg:rpm/almalinux/php-pgsqlpkg:rpm/almalinux/php-processpkg:rpm/almalinux/php-snmppkg:rpm/almalinux/php-soappkg:rpm/almalinux/php-xmlpkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweed
< 8.2.31-r0+ 41 more
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 1.7.3-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 1:1.10.14-1.module_el8.10.0+3796+30ed3ef7
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 5.1.23-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 6.1.0-2.module_el9.6.0+151+5f31e576
- (no CPE)range: < 2.0.3-4.module_el9.6.0+151+5f31e576
- (no CPE)range: < 3.3.1-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 1.22.3-1.module_el9.6.0+151+5f31e576
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.3.31-2.module_el9.8.0+255+747189f2
- (no CPE)range: < 8.5.6-1.1
Patches
Vulnerability mechanics
References
1- github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwvnvdVendor AdvisoryExploit
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026