Medium severity6.1NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-6735

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Affected products

PHP/Php Srcinferred
Range: >=8.2.0,<8.2.31, >=8.3.0,<8.3.31, >=8.4.0,<8.4.21, >=8.5.0,<8.5.6
PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: >=8.2.0,<8.2.31

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwvnvdVendor AdvisoryExploit

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000