CVE-2026-6735

XSS Vulnerability in PHP-FPM status page

Publication Date	2026-05-10
Severity	High
Type	Cross-Site Scripting
Affected PHP Versions	7.1.0-7.1.33 7.2.0-7.2.34 7.3.0-7.3.33 7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.34 8.2.0-8.2.30 8.3.0-8.3.30 8.4.0-8.4.20 8.5.0-8.5.5
Fixed Product Versions	ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendPHP 8.5 ZendServer 2021.4.5

CVE Details

An unauthenticated attacker over the network can craft a malicious URL that, when clicked by a user viewing the PHP-FPM status page, executes arbitrary JavaScript code in that user's browser within the context of the status page domain

Recommendations

Restrict access to the PHP-FPM status page to administrators only. Consider implementing Content Security Policy headers for the PHP-FPM status page to limit or prevent script execution.

< View all CVEs