VIR Vulnerability Intelligence Relay

CVE-2026-6735

medium
Published 2026-05-10 ยท Modified 2026-06-01
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v4 NEW
7.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber
VIR risk
6.1

Description

Important: php:8.2 security update

Predictions

Exploit likelihood
71%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata โ€” Red Hat Inc. ยท View original โ†— ยท Open-Errata-API

Description PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation Red Hat statement Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is notโ€ฆ

Description

PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation

Red Hat statement

Restrict network access to the PHP-FPM status page to trusted internal networks or localhost. This can be achieved by configuring web server access controls (e.g., Apache httpd or Nginx) to deny external access to the status page URL. If the PHP-FPM status page functionality is not required, it should be disabled in the PHP-FPM configuration. Any changes to web server or PHP-FPM configuration may require a service reload or restart to take effect.

CVSS v3: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Errata / fixed releases

ProductPackageAdvisoryReleased
Red Hat Enterprise Linux 8php:8.2-8100020260521052503.f7998665RHSA-2026:223052026-06-01T00:00:00Z
Red Hat Enterprise Linux 9php:8.3-9080020260521113736.9RHSA-2026:221422026-06-01T00:00:00Z
Red Hat Enterprise Linux 9php:8.2-9080020260521080715.9RHSA-2026:221432026-06-01T00:00:00Z
Red Hat Hardened Imagesphp-main-8.5.6-1.hum1RHSA-2026:141252026-05-06T00:00:00Z

Package state

ProductPackageState
Red Hat Enterprise Linux 10phpFix deferred
Red Hat Enterprise Linux 10php8.4Fix deferred
Red Hat Enterprise Linux 6phpFix deferred
Red Hat Enterprise Linux 7phpFix deferred
Red Hat Enterprise Linux 8php:7.4/phpFix deferred
Red Hat Enterprise Linux 9phpFix deferred
Red Hat OpenShift AI (RHOAI)rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9Fix deferred
Red Hat OpenShift Dev Spacesdevspaces/code-rhel9Fix deferred

Apply commands

bash fix
Apply RHSA-2026:22305 for Red Hat Enterprise Linux 8
yum update -y php:8
# or:
dnf upgrade -y php:8

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
windows Windows Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
almalinux AlmaLinux Fixed 2 releases
VersionStatusFixed in
9 Fixed apcu-panel-5.1.23-1.module_el9.6.0+151+5f31e576.noarch.rpm
8 Fixed apcu-panel-5.1.23-1.module_el8.10.0+3796+30ed3ef7.noarch.rpm
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 8.4.21-1~deb13u1
sid Fixed 8.4.21-1
forky Fixed 8.4.21-1
bullseye Fixed 7.4.33-1+deb11u11
bookworm Fixed 8.2.31-1~deb12u1
redhat Red Hat Fixed 2 releases
VersionStatusFixed in
9 Fixed โ€”
8 Fixed โ€”

Application impact
VendorProductVersionsFixed
php phpphp{"startIncluding":"8.2.0","endExcluding":"8.2.31"}8.2.31

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.