XSS within PHP-FPM status endpoint

Kurzinfo

Veroeffentlicht: 2026-05-07 12:56 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: 4578dfd7d3d3e7028a087509553c4cc9744ad706721e499e772a214c4be0559e
PHP Security (php/php-src GHSA)

Inhalt

Improper sanitization of the request URI within the PHP-FPM status page allows an attacker to execute arbitrary JavaScript code (XSS) on the victims machine, possibly stealing cookies on insufficiently hardened systems, or stealing other sensitive data such as the information from the status page itself. An attacker does not require authentication or access to the /status endpoint in order to trigger XSS, but may simply visit a URI embedding the malicious code.

  1. Navigate to example.com/
  2. Navigate to example.com/status?full&html
  3. Observe the JavaScript pop-up.

The same is possible for the XML endpoint, possibly embedding malicious XML nodes into the status report.

  1. Navigate to example.com/<
  2. Navigate to example.com/status?full&xml
  3. Observe the XML parsing error.

Verknuepfte CVEs

CVE-ID Severity (CVE.org) CVSS (CVE.org) EPSS EPSS-% Veroeffentlicht (CVE.org)

CVE-2026-6735

 - - - -

Quellen-Details

Bezeichnung Name Kategorie Tags Zielgruppe Sprache Feed-URL
PHP Security (php/php-src GHSA)

php_sec

 vendor_advisory php, runtime - de https://github.com/php/php-src/security/advisories
Zurueck zur Eintrags-Liste