CVE-2026-6735— XSS within PHP-FPM status endpoint

AI Predicted 6.1 Difficulty: Easy EPSS 0.03% · P9 Updated May 15, 2026

Possible ATT&CK Techniques 2AI

T1189 · Drive-by Compromise T1059.007 · JavaScript

Affected Version Matrix 4

Vendor	Product	Version Range	Status
PHP Group	PHP	`8.2.*< 8.2.31`	affected
		`8.3.*< 8.3.31`	affected
		`8.4.*< 8.4.21`	affected
		`8.5.*< 8.5.6`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-6735

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

XSS within PHP-FPM status endpoint

Source: NVD (National Vulnerability Database)

Vulnerability Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

PHP 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

PHP是PHP开源的一种在服务器端执行的脚本语言。 PHP 8.2.31之前版本、8.3.31之前版本、8.4.21之前版本和8.5.6之前版本存在跨站脚本漏洞，该漏洞源于用户数据处理不当，允许攻击者构造URL，导致目标在查看PHP-FPM状态页面时执行任意JavaScript代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
PHP Group	PHP	8.2.* ~ 8.2.31	-

II. Public POCs for CVE-2026-6735

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-6735

请登录查看更多情报信息。

Advisory · 1

Same Patch Batch · PHP Group · 2026-05-10 · 10 CVEs total

CVE-2026-7258		Out-of-bounds read in urldecode() on NetBSD
CVE-2026-7262		NULL pointer dereference in SOAP apache:Map decoder with missing <value>
CVE-2026-7261		SoapServer session-persisted object use-after-free via SOAP header fault
CVE-2026-7259		Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
CVE-2026-7568		Signed integer overflow in metaphone()
CVE-2026-6722		Use-After-Free in SOAP using Apache map
CVE-2025-14179		SQL injection in pdo_firebird via NUL bytes in quoted strings
CVE-2026-7263		DoS attack via DOMNode::C14N()
CVE-2026-6104		Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding

IV. Related Vulnerabilities

Same product: PHP

Same vendor: PHP Group

Same weakness: CWE-79

V. Comments for CVE-2026-6735

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-6735— XSS within PHP-FPM status endpoint

Possible ATT&CK Techniques 2AI

Affected Version Matrix 4

I. Basic Information for CVE-2026-6735

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-6735

III. Intelligence Information for CVE-2026-6735

Same Patch Batch · PHP Group · 2026-05-10 · 10 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-6735

Leave a comment