CVE-2026-24895

Feb. 12, 2026, 8:16 p.m.

8.9
High

Description

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

Product(s) Impacted

Vendor Product Versions
Frankenphp
  • Frankenphp
  • <1.11.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-180
Incorrect Behavior Order: Validate Before Canonicalize
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a frankenphp frankenphp <1.11.2 / / / / / / /

References

https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e
https://github.com/php/frankenphp/releases/tag/v1.11.2
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38

Tags

[email protected]
CWE-180
2026-02-12
CVE-2026-24895

CVSS Score

8.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: PROOF_OF_CONCEPT

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Feb. 12, 2026, 8:16 p.m.
Last Modified: Feb. 12, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.