CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...

CVE-2026-24895

FrankenPHP CGI path splitting bug before 1.11.2 uses lowercased path for split index and applies it to the original path, causing SCRIPT_NAME/SCRIPT_FILENAME to point to the wrong file and potentially execute an unintended file. Root cause: Go strings.ToLower can increase byte length for certain ...