PT-2026-46233

🔒 API Platform CVE-2026-49858: JSON:API & HAL normalizers cached components across users on long-running runtimes FrankenPHP, RoadRunner, Swoole. Patched in 4.1.29 / 4.2.25 / 4.3.8 — upgrade now. https://t.co/1oIPjtQjqB...

GHSA-M675-2P33-XV9G Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through improper handling of Unicode characters in the splitPos function. An attacker can execute arbitrary code by uploading a file with a specially crafted name containing non-ASCII bytes or Unico...

GHSA-3G8V-8R37-CGJM FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

CVE-2026-39972 vulnerabilities

Vulnerabilities for packages: frankenphp-8.4, frankenphp-8.2, frankenphp-8.5, frankenphp-8.3...

GHSA-HWR4-MQ23-WCV5 vulnerabilities

Vulnerabilities for packages: frankenphp-8.4, frankenphp-8.2, frankenphp-8.5, frankenphp-8.3...

CVE-2026-39882 vulnerabilities

Vulnerabilities for packages: nrdot-collector-k8s-fips, tkn-fips, knative-kafka-broker, headlamp-fips, envoy-gateway, dapr, kubescape-server-fips, kots, zitadel, buildkitd, cerbos-fips, amazon-cloudwatch-agent-fips, knative-operator-fips, beats, flux-notification-controller, docker-compose-fips,...

GHSA-W8RR-5GCM-PP58 vulnerabilities

Vulnerabilities for packages: nrdot-collector-k8s-fips, tkn-fips, knative-kafka-broker, headlamp-fips, envoy-gateway, dapr, kubescape-server-fips, kots, zitadel, buildkitd, cerbos-fips, amazon-cloudwatch-agent-fips, knative-operator-fips, beats, flux-notification-controller, docker-compose-fips,...

SUSE CVE-2026-24894

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...

GO-2026-4442 FrankenPHP has delayed propagation of security fixes in upstream base images in github.com/dunglas/frankenphp

FrankenPHP has delayed propagation of security fixes in upstream base images in github.com/dunglas/frankenphp. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

GO-2026-4489 FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp

FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp...

GO-2026-4486 FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP in github.com/dunglas/frankenphp

FrankenPHP's unicode case-folding length expansion causes incorrect splitpath index SCRIPTNAME/PATHINFO confusion in FrankenPHP in github.com/dunglas/frankenphp...

CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24894

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...

CVE-2026-24894

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...

CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...