Lucene search
K

3 matches found

Github Security Blog
Github Security Blog
added 2026/05/18 1:40 p.m.12 views

Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...

9.8CVSS6.5AI score0.0058EPSS
Exploits2References4Affected Software1
OSV
OSV
added 2026/05/18 1:40 p.m.5 views

GHSA-M675-2P33-XV9G Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...

8.1CVSS6.5AI score0.00399EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/15 5:9 p.m.12 views

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

8.1CVSS6.5AI score0.00568EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder