PT-2026-39445 · Php+3 · Php+3

Conradfd@Proton.Me

Published

2026-05-07

Updated

2026-06-04

CVE-2026-6735

CVSS v4.0

7.3

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/S:P/AU:Y/RE:L/U:Amber

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5

Description Improper sanitation of user data allows an attacker to compose a URL that executes arbitrary JavaScript code (Cross-Site Scripting) on a user's machine when viewing the PHP-FPM status page.

Recommendations Update to version 8.2.31 Update to version 8.3.31 Update to version 8.4.21 Update to version 8.5.6

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2026:22142

ALSA-2026:22143

ALSA-2026:22305

ALSA-2026:23388

BIT-LIBPHP-2026-6735

BIT-PHP-2026-6735

BIT-PHP-MIN-2026-6735

CVE-2026-6735

OESA-2026-2342

OESA-2026-2343

OESA-2026-2344

OESA-2026-2420

OESA-2026-2421

OPENSUSE-SU-2026:10747-1

RHSA-2026:14125

RHSA-2026:22142

RHSA-2026:22143

RHSA-2026:22305

RHSA-2026:23388

USN-8336-1

Affected Products

Linuxmint

Php

Rocky Linux

Ubuntu

PT-2026-39445 · Php+3 · Php+3

CVE-2026-6735

Weakness Enumeration

Related Identifiers

Affected Products

References · 86