CVE-2026-24895

FrankenPHP CGI path splitting bug before 1.11.2 uses lowercased path for split index and applies it to the original path, causing SCRIPT_NAME/SCRIPT_FILENAME to point to the wrong file and potentially execute an unintended file. Root cause: Go strings.ToLower can increase byte length for certain ...

CVE-2026-24894

FrankenPHP in worker mode prior to 1.11.2 does not reset the PHP $_SESSION between requests, allowing a subsequent request on the same worker to read the previous request’s session data before session_start() is called. This could expose potentially sensitive session information across users. The...