CVE-2026-6735
MEDIUM6.1EPSS 0.05%XSS within PHP-FPM status endpoint
發布日:2026/5/10修改日:2026/5/16
描述
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
受影響套件(6)
- Bitnami/libphp>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- Bitnami/php>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- Bitnami/php-min>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6
- Debian/php7.4from 0, < 7.4.33-1+deb11u11
- Debian/php8.2from 0, < 8.2.31-1~deb12u1
- Debian/php8.4from 0, < 8.4.21-1~deb13u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |