Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Remediation
References
Related Vulnerabilities
IBM RTC CVE-2019-4084 Vulnerability (CVE-2019-4084)
Apache HTTP Server Out-of-bounds Write Vulnerability (CVE-2019-10081)
WordPress Plugin WP Frontend Profile Security Bypass (1.2.1)
Craft CMS Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-68437)
WordPress Plugin Search & Replace PHP Object Injection (3.2.2)