VYPR
Medium severity6.1NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-6735

CVE-2026-6735

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

44

Patches

Vulnerability mechanics

References

1

News mentions

1