CVE-2026-42552 Flight: Sensitive information disclosure via default error handler in flightphp/core

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the Engine::error function. An attacker can obtain sensitive information, such as absolute filesystem paths, secrets embedded in exception messages, and internal module structure, by triggering an uncaught...

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict via the getMethod function. An attacker can perform unauthorized actions by sending crafted HTTP requests that override the intended HTTP method, potentially bypassing middleware restrictions and escalating...

CVE-2026-42551

creationtimestamp| type| source ---|---|--- 2026-04-29 13:03:34+00:00| published-proof-of-concept| https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g...

CVE-2026-42550

creationtimestamp| type| source ---|---|--- 2026-04-29 13:03:28+00:00| published-proof-of-concept| https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr...

CVE-2026-42549

creationtimestamp| type| source ---|---|--- 2026-04-29 13:03:23+00:00| published-proof-of-concept| https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q...

CVE-2026-42552

creationtimestamp| type| source ---|---|--- 2026-04-29 13:02:57+00:00| published-proof-of-concept| https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85...