CVE-2026-6735
published 2026-05-10CVE-2026-6735: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.21%
11.2th percentile
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php8.4 | — | — |
| devspaces | code-rhel9 | — | — |
| php | php | — | — |
| php | php | >= 8.2.0 < 8.2.31 | 8.2.31 |
| php | php | >= 8.3.0 < 8.3.31 | 8.3.31 |
| php | php | >= 8.4.0 < 8.4.21 | 8.4.21 |
| php | php | >= 8.5.0 < 8.5.6 | 8.5.6 |
| php_7.4 | php | — | — |
| php_8.2 | php | — | — |
| php_8.3 | php | — | — |
| php_group | php | >= 8.2.* < 8.2.31 | 8.2.31 |
| php_group | php | >= 8.3.* < 8.3.31 | 8.3.31 |
| php_group | php | >= 8.4.* < 8.4.21 | 8.4.21 |
| php_group | php | >= 8.5.* < 8.5.6 | 8.5.6 |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| ubuntu | php8.1 | — | — |
| ubuntu | php8.3 | — | — |
| ubuntu | php8.4 | — | — |
| ubuntu | php8.5 | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber
vendor_ubuntu7.4HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2026-05-28·CVSS 7.4
CVE-2026-7259 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PH
Red Hat
PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
vendor_redhat·2026-05-10·CVSS 7.3
CVE-2026-6735 [HIGH] CWE-79 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code (Cross-Site Scripting or XSS) on their machine, potentially compromising their browser session or leading to further attacks.
Mitigation: Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is not required, it
VulDB
PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 cross site scripting (GHSA-7qg2-v9fj-4mwv / WID-SEC-2026-1433)
vuldb·2026-05-10·CVSS 7.3
CVE-2026-6735 [HIGH] PHP up to 8.2.30/8.3.30/8.4.20/8.5.5 cross site scripting (GHSA-7qg2-v9fj-4mwv / WID-SEC-2026-1433)
A vulnerability labeled as problematic has been found in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. Affected by this issue is some unknown functionality. The manipulation results in cross site scripting.
This vulnerability is cataloged as CVE-2026-6735. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-6735 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
bugzilla·2026-05-10·CVSS 7.3
CVE-2026-6735 [HIGH] CVE-2026-6735 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
CVE-2026-6735 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
2026-05-10
Published