CVE-2026-6735 Overview
CVE-2026-6735 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in PHP affecting the PHP-FPM (FastCGI Process Manager) status page. The flaw stems from improper sanitization of user-supplied data, allowing attackers to craft a malicious URL that executes arbitrary JavaScript when an administrator views the PHP-FPM status page. The vulnerability affects PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6. Exploitation requires user interaction, but the attack vector is network-based and requires no privileges.
Critical Impact
A successful attack executes arbitrary JavaScript in the context of an administrator session viewing the PHP-FPM status page, potentially leading to session theft, credential harvesting, or backend administrative actions.
Affected Products
- PHP 8.2.* before 8.2.31
- PHP 8.3.* before 8.3.31
- PHP 8.4.* before 8.4.21 and PHP 8.5.* before 8.5.6
Discovery Timeline
- 2026-05-10 - CVE-2026-6735 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6735
Vulnerability Analysis
The vulnerability resides in the PHP-FPM status page handler, which renders request information without proper output encoding. PHP-FPM provides a built-in status endpoint that operators expose to monitor worker processes, request durations, and request URIs. When the status page formats certain request-derived fields, it fails to apply HTML context encoding to attacker-controlled values.
An attacker can craft a request whose URI or query parameters contain JavaScript payloads. When an administrator later views the PHP-FPM status page, the malicious content is rendered inline and executed by the administrator's browser. This is a classic stored or reflected XSS condition mapped to [CWE-79].
The vulnerability is exploitable in deployments where the PHP-FPM status page is reachable, even indirectly, by attacker-controlled requests and is subsequently viewed by privileged users.
Root Cause
The root cause is missing HTML entity encoding of user-controlled data within the PHP-FPM status page output routine. Request URIs, query strings, and related request metadata are written into the response without sanitization, breaking the trust boundary between attacker input and operator-facing HTML.
Attack Vector
The attack requires the attacker to send a crafted HTTP request to the target PHP-FPM service that records the malicious payload in tracked request data. The attacker then waits for, or social-engineers, an administrator into loading the status page. Because exploitation depends on operator interaction, the impact is gated on someone viewing the status interface.
No authentication is required to submit the malicious request. Refer to the PHP Security Advisory GHSA-7qg2-v9fj-4mwv for additional technical details.
Detection Methods for CVE-2026-6735
Indicators of Compromise
- HTTP access logs containing request URIs with <script>, javascript:, or HTML-encoded payloads such as %3Cscript%3E targeting the PHP-FPM backend.
- Unusual outbound requests from administrator browsers immediately after the PHP-FPM status page is loaded.
- Status page responses containing unencoded <, >, or " characters in request URI fields.
Detection Strategies
- Inspect web server and PHP-FPM access logs for request URIs containing script tags, event handlers (onerror=, onload=), or encoded JavaScript payloads.
- Deploy web application firewall (WAF) rules to flag XSS payload patterns directed at the PHP-FPM upstream or status endpoint path.
- Compare deployed PHP versions against the fixed releases 8.2.31, 8.3.31, 8.4.21, and 8.5.6 to identify exposed hosts.
Monitoring Recommendations
- Monitor access to the PHP-FPM status page URL and alert when it is fetched from non-administrative source addresses.
- Enable Content Security Policy (CSP) reporting on status dashboards to capture inline script execution attempts.
- Centralize PHP-FPM and reverse proxy logs to enable correlation between attacker-submitted URIs and subsequent administrator status page views.
How to Mitigate CVE-2026-6735
Immediate Actions Required
- Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later depending on the deployed branch.
- Restrict access to the PHP-FPM status page to trusted internal addresses using reverse proxy access controls.
- Audit recent access logs for crafted URIs targeting the FPM backend prior to patching.
Patch Information
The PHP project addressed the vulnerability in PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Patch details are published in the PHP Security Advisory GHSA-7qg2-v9fj-4mwv.
Workarounds
- Disable the PHP-FPM status page by removing or commenting out the pm.status_path directive in the FPM pool configuration if monitoring is not required.
- Place the status endpoint behind authentication and IP allow-listing at the web server layer (Nginx or Apache).
- Apply a strict Content Security Policy on the status page response to block inline script execution.
# Example Nginx restriction for the PHP-FPM status page
location = /status {
allow 127.0.0.1;
allow 10.0.0.0/8;
deny all;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# Or disable the status page entirely in the FPM pool config
# /etc/php/8.x/fpm/pool.d/www.conf
# pm.status_path = /status <-- comment out this line
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
