CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

12 matches found

OSV•added 2026/05/15 5:9 p.m.•5 views

GHSA-3G8V-8R37-CGJM FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

8.1CVSS6.5AI score

Exploits0References3

Github Security Blog•added 2026/05/15 5:9 p.m.•7 views

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

9.8CVSS6.5AI score0.00029EPSS

Exploits1References3Affected Software1

Snyk•added 2026/02/24 8:39 p.m.•1 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the splitPos function. An attacker can cause unintended execution of files by crafting URLs with specific Unicode characters that manipulate the path splitting logic, potentiall...

9.8CVSS6.1AI score0.00245EPSS

Exploits1References2

UbuntuCve•added 2026/02/24 5:29 p.m.•4 views

CVE-2026-27590

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because...

9.8CVSS7.3AI score0.00245EPSS

Exploits1References4

AlpineLinux•added 2026/02/24 4:33 p.m.•2 views

CVE-2026-27590

9.8CVSS6AI score0.00245EPSS

Exploits1

OSV•added 2026/02/24 4:33 p.m.•2 views

CVE-2026-27590 Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport

9.3CVSS6.1AI score0.00245EPSS

Exploits1References5

RedhatCVE•added 2026/02/13 7:18 p.m.•2 views

CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the...

9.8CVSS5.7AI score0.00029EPSS

Exploits1References1

Cvelist•added 2026/02/12 7:16 p.m.•24 views

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

9.3CVSS0.00029EPSS

Exploits1References3

Vulnrichment•added 2026/02/12 7:16 p.m.•3 views

CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files

9.3CVSS5.7AI score0.00029EPSS

Exploits1References3

RedhatCVE•added 2022/05/16 4:26 a.m.•58 views

CVE-2022-21190

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

9.8CVSS2.7AI score0.01732EPSS

Exploits2References3

Prion•added 2022/05/13 8:15 p.m.•19 views

Design/Logic Flaw

7.5CVSS9.4AI score0.01732EPSS

Exploits2References5Affected Software1

OSV•added 2018/11/28 5:29 p.m.•1 views

ALPINE-CVE-2018-12116

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to...

7.5CVSS9AI score0.00531EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by