Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-10T03:27:00 PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CWE-79

A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code (Cross-Site Scripting or XSS) on their machine, potentially compromising their browser session or leading to further attacks.

Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is not required, it should be disabled in the PHP-FPM configuration. Any changes to web server or PHP-FPM configuration may require a service reload or restart to take effect. Red Hat Enterprise Linux 10 2026-06-02T00:00:00Z RHSA-2026:22649 php8.4-0:8.4.21-1.el10_2 Red Hat Enterprise Linux 10 2026-06-04T00:00:00Z RHSA-2026:23388 php-0:8.3.31-1.el10_2 Red Hat Enterprise Linux 8 2026-06-01T00:00:00Z RHSA-2026:22305 php:8.2-8100020260521052503.f7998665 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22142 php:8.3-9080020260521113736.9 Red Hat Enterprise Linux 9 2026-06-01T00:00:00Z RHSA-2026:22143 php:8.2-9080020260521080715.9 Red Hat Hardened Images 2026-05-06T00:00:00Z RHSA-2026:14125 php-main-8.5.6-1.hum1 Red Hat Enterprise Linux 6 Fix deferred php Red Hat Enterprise Linux 7 Fix deferred php Red Hat Enterprise Linux 8 Fix deferred php:7.4/php Red Hat Enterprise Linux 9 Fix deferred php Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/code-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-6735 https://nvd.nist.gov/vuln/detail/CVE-2026-6735 https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv