46 matches found
CVE-2026-45062
CVE-2026-45062 affects FrankenPHP (versions 1.11.2–1.12.2). The vulnerability arises in the CGI path splitting logic (splitPos in cgi.go), where fallback matching uses golang.org/x/text/search with ignore-case, and engages when the request path contains non-ASCII bytes. Two flaws enable an attack...
EUVD-2026-36075
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...
FrankenPHP 输入验证错误漏洞
FrankenPHP is an open-source PHP application server developed by phpnet. In versions 1.11.2 to 1.2.3 of FrankenPHP, there was a vulnerability related to input validation errors. This vulnerability stemmed from the incorrect use of the splitPos function in cgi.go when the request path contained...
PT-2026-46233
🔒 API Platform CVE-2026-49858: JSON:API & HAL normalizers cached components across users on long-running runtimes FrankenPHP, RoadRunner, Swoole. Patched in 4.1.29 / 4.2.25 / 4.3.8 — upgrade now. https://t.co/1oIPjtQjqB...
GHSA-M675-2P33-XV9G Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through improper handling of Unicode characters in the splitPos function. An attacker can execute arbitrary code by uploading a file with a specially crafted name containing non-ASCII bytes or Unico...
GHSA-3G8V-8R37-CGJM FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...
CVE-2026-39972 vulnerabilities
Vulnerabilities for packages: frankenphp-8.2, frankenphp-8.4, frankenphp-8.5, frankenphp-8.3...
GHSA-HWR4-MQ23-WCV5 vulnerabilities
Vulnerabilities for packages: frankenphp-8.2, frankenphp-8.4, frankenphp-8.5, frankenphp-8.3...
CVE-2026-39882 vulnerabilities
Vulnerabilities for packages: beats-fips, tempo, gitlab-cng-fips, grafana-rollout-operator-fips, opa-fips, frankenphp-8.2, kubo, flyte, buildkitd-fips, headlamp, distribution, aws-otel-collector-fips, flux, gitlab-kas-fips, zot, fluent-bit-plugin-loki, elastic-agent, kubeflow-pipelines,...
GHSA-W8RR-5GCM-PP58 vulnerabilities
Vulnerabilities for packages: beats-fips, tempo, gitlab-cng-fips, grafana-rollout-operator-fips, opa-fips, frankenphp-8.2, kubo, flyte, buildkitd-fips, headlamp, distribution, aws-otel-collector-fips, flux, gitlab-kas-fips, zot, fluent-bit-plugin-loki, elastic-agent, kubeflow-pipelines,...
SUSE CVE-2026-24894
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...
GO-2026-4442 FrankenPHP has delayed propagation of security fixes in upstream base images in github.com/dunglas/frankenphp
FrankenPHP has delayed propagation of security fixes in upstream base images in github.com/dunglas/frankenphp. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...
GO-2026-4486 FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP in github.com/dunglas/frankenphp
FrankenPHP's unicode case-folding length expansion causes incorrect splitpath index SCRIPTNAME/PATHINFO confusion in FrankenPHP in github.com/dunglas/frankenphp...
GO-2026-4489 FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp
FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp...
CVE-2026-24895
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...
CVE-2026-24894
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...