55 matches found
GHSA-XCGV-8MV7-V8C7 vulnerabilities
Vulnerabilities for packages: eks-distro-fips, cloud-provider-azure, knative-operator-fips, kubernetes-dashboard, ocm-cli-fips, kube-arangodb-fips, commercial-chainloop-backend, buildah-fips, frankenphp-8.2, cerbos, commercial-spilo, kyverno-policy-reporter-plugins-kyverno, dataplaneapi-fips,...
GHSA-X527-X647-Q7GG vulnerabilities
Vulnerabilities for packages: omnictl-multiarch-fips, kubernetes-dashboard, flux-source-controller, cert-manager, kube-arangodb-fips, trivy-fips, frankenphp-8.2, external-dns, drone-fips, omnictl-multiarch, nerdctl, traefik-fips, knative-serving-fips, prometheus-fips, kots, commercial-grafana,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: crossplane-provider-azure-servicenetworking, crossplane-provider-azure-authorization, chainctl-fips, omnictl-multiarch-fips, policy-controller, kubernetes-dashboard, flux-source-controller, sops, cert-manager, gomplate, kube-arangodb-fips, step-kms-plugin, trivy-fips...
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-bedrockagent-fips, crossplane-provider-aws-efs-fips, cert-manager, gomplate, crossplane-provider-azure-operationsmanagement, crossplane-provider-aws-firehose-fips, frankenphp-8.2, crossplane-provider-aws-rds-fips,...
GHSA-9M57-25V3-79X9 vulnerabilities
Vulnerabilities for packages: omnictl-multiarch-fips, kubernetes-dashboard, cert-manager, kube-arangodb-fips, buildah-fips, teleport-operator-fips, frankenphp-8.2, external-dns, omnictl-multiarch, nerdctl, traefik-fips, knative-serving-fips, prometheus-fips, kots, commercial-grafana, containerd,...
GHSA-78MQ-XCR3-XM33 vulnerabilities
Vulnerabilities for packages: omnictl-multiarch-fips, chainctl-fips, kubernetes-dashboard, flux-source-controller, cert-manager, gomplate, kube-arangodb-fips, trivy-fips, teleport-operator-fips, nuclei, frankenphp-8.2, mapotf-fips, splunk-otel-collector, external-dns, omnictl-multiarch, nerdctl,...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: omnictl-multiarch-fips, kubernetes-dashboard, flux-source-controller, cert-manager, kube-arangodb-fips, trivy-fips, frankenphp-8.2, external-dns, drone-fips, omnictl-multiarch, nerdctl, traefik-fips, knative-serving-fips, prometheus-fips, kots, commercial-grafana,...
GHSA-Q4H4-GMJ2-QVW2 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-bedrockagent-fips, crossplane-provider-aws-efs-fips, cert-manager, gomplate, crossplane-provider-azure-operationsmanagement, crossplane-provider-aws-firehose-fips, frankenphp-8.2, crossplane-provider-aws-rds-fips,...
CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
EUVD-2026-36075
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
CVE-2026-45062
CVE-2026-45062 affects FrankenPHP (versions 1.11.2–1.12.2). The vulnerability arises in the CGI path splitting logic (splitPos in cgi.go), where fallback matching uses golang.org/x/text/search with ignore-case, and engages when the request path contains non-ASCII bytes. Two flaws enable an attack...
CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
FrankenPHP 输入验证错误漏洞
FrankenPHP is an open-source PHP application server developed by phpnet. In versions 1.11.2 to 1.2.3 of FrankenPHP, there was a vulnerability related to input validation errors. This vulnerability stemmed from the incorrect use of the splitPos function in cgi.go when the request path contained...
PT-2026-46233
Name of the Vulnerable Software and Affected Versions API Platform Core versions 2.6.0 through 4.1.28 API Platform Core versions 4.2.0 through 4.2.25 API Platform Core versions 4.3.0 through 4.3.11 Description A missing isCacheKeySafe gate in the JSON:API and HAL item normalizers leads to a...
GHSA-M675-2P33-XV9G Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through improper handling of Unicode characters in the splitPos function. An attacker can execute arbitrary code by uploading a file with a specially crafted name containing non-ASCII bytes or Unico...
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...
GHSA-3G8V-8R37-CGJM FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...
CVE-2026-39972 vulnerabilities
Vulnerabilities for packages: frankenphp-8.2, frankenphp-8.3, frankenphp-8.4, frankenphp-8.5...