CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e	Patch
https://github.com/php/frankenphp/releases/tag/v1.11.2	Release Notes
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-12 20:16

Updated : 2026-02-20 18:30

NVD link : CVE-2026-24895

Mitre link : CVE-2026-24895

CVE.ORG link : CVE-2026-24895

JSON object : View

Products Affected

php

frankenphp

CWE

CWE-180

Incorrect Behavior Order: Validate Before Canonicalize

{"id": "CVE-2026-24895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T20:16:10.170", "references": [{"url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-180"}]}], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."}, {"lang": "es", "value": "FrankenPHP es un moderno servidor de aplicaciones para PHP. Antes de 1.11.2, la l\u00f3gica de divisi\u00f3n de rutas CGI de FrankenPHP maneja incorrectamente los caracteres Unicode durante la conversi\u00f3n de may\u00fasculas y min\u00fasculas. La l\u00f3gica calcula el \u00edndice de divisi\u00f3n (para encontrar .php) en una copia en min\u00fasculas de la ruta de la solicitud, pero aplica ese \u00edndice de bytes a la ruta original. Debido a que strings.ToLower() en Go puede aumentar la longitud en bytes de ciertos caracteres UTF-8 (por ejemplo, ? se expande al convertirse a min\u00fasculas), el \u00edndice calculado puede no alinearse con la posici\u00f3n correcta en la cadena original. Esto resulta en un SCRIPT_NAME y SCRIPT_FILENAME incorrectos, potencialmente causando que FrankenPHP ejecute un archivo diferente al previsto por la URI. Esta vulnerabilidad est\u00e1 corregida en 1.11.2."}], "lastModified": "2026-02-20T18:30:00.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2C3D161-7DC3-4241-9EBA-481806A802B5", "versionEndExcluding": "1.11.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}