{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24895", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.529Z", "datePublished": "2026-02-12T19:16:06.618Z", "dateUpdated": "2026-02-12T20:04:07.435Z"}, "containers": {"cna": {"title": "FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files", "problemTypes": [{"descriptions": [{"cweId": "CWE-180", "lang": "en", "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"}, {"name": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e", "tags": ["x_refsource_MISC"], "url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e"}, {"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"}], "affected": [{"vendor": "php", "product": "frankenphp", "versions": [{"version": "< 1.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:16:06.618Z"}, "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."}], "source": {"advisory": "GHSA-g966-83w7-6w38", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T20:03:49.803836Z", "id": "CVE-2026-24895", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T20:04:07.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T20:03:49.803836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T20:03:56.900Z"}}], "cna": {"title": "FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files", "source": {"advisory": "GHSA-g966-83w7-6w38", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "php", "product": "frankenphp", "versions": [{"status": "affected", "version": "< 1.11.2"}]}], "references": [{"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "name": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e", "name": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "name": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-180", "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:16:06.618Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24895", "state": "PUBLISHED", "dateUpdated": "2026-02-12T20:04:07.435Z", "dateReserved": "2026-01-27T19:35:20.529Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T19:16:06.618Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2C3D161-7DC3-4241-9EBA-481806A802B5", "versionEndExcluding": "1.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."}, {"lang": "es", "value": "FrankenPHP es un moderno servidor de aplicaciones para PHP. Antes de 1.11.2, la l\u00f3gica de divisi\u00f3n de rutas CGI de FrankenPHP maneja incorrectamente los caracteres Unicode durante la conversi\u00f3n de may\u00fasculas y min\u00fasculas. La l\u00f3gica calcula el \u00edndice de divisi\u00f3n (para encontrar .php) en una copia en min\u00fasculas de la ruta de la solicitud, pero aplica ese \u00edndice de bytes a la ruta original. Debido a que strings.ToLower() en Go puede aumentar la longitud en bytes de ciertos caracteres UTF-8 (por ejemplo, ? se expande al convertirse a min\u00fasculas), el \u00edndice calculado puede no alinearse con la posici\u00f3n correcta en la cadena original. Esto resulta en un SCRIPT_NAME y SCRIPT_FILENAME incorrectos, potencialmente causando que FrankenPHP ejecute un archivo diferente al previsto por la URI. Esta vulnerabilidad est\u00e1 corregida en 1.11.2."}], "id": "CVE-2026-24895", "lastModified": "2026-02-20T18:30:00.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T20:16:10.170", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-180"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.2)"}}], "product": "frankenphp", "vendor": "php"}], "analysis": {"en": {"generated_at": "2026-04-17T20:01:46.387323+00:00", "value": {"mitigation_remediation": ["Upgrade FrankenPHP to version 1.11.2 or later.", "If an immediate upgrade is not possible, limit the exposure of the CGI handler to trusted networks and enforce strict path validation or disable the CGI mode until a patch is available.", "Implement request monitoring to detect unusual UTF\u20118 characters in URI paths and alert on potential misrouting attempts."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PHP FrankenPHP application server published by php:frankenphp. All releases prior to version 1.11.2 are susceptible; the issue was fixed in the 1.11.2 release. No specific sub\u2011versions are listed, so any installation of FrankenPHP below 1.11.2 should be considered at risk.", "description_and_impact": "FrankenPHP improperly handles Unicode characters during case conversion in its CGI path splitting logic. It calculates the index for the .php marker on a lowercased copy of the request path, but uses that byte offset against the original string. Because Go\u2019s ToLower can increase the byte length of certain UTF\u20118 characters, the computed index may be misaligned, causing an incorrect SCRIPT_NAME and SCRIPT_FILENAME. This misinterpretation allows an attacker to trigger the execution of a file other than the one referenced by the request URI, effectively enabling arbitrary code execution within the server context.", "risk_and_exploitability": "The CVSS score of 8.9 indicates high severity. The EPSS score is less than 1 percent, implying that, while exploitable, the probability of widespread exploitation is currently low. FrankenPHP is not listed in the CISA KEV catalog, but the flaw permits remote code execution over an HTTP interface, making it a high\u2011impact flaw if exploited. Exploitation would require the ability to send crafted HTTP requests to the server, which is typically available to any network user who can reach the application. "}}}}, "created": "2026-02-13T21:29:32.842046+00:00", "updated": "2026-04-17T20:15:26.987804+00:00", "vendors": ["php", "php$PRODUCT$frankenphp"]}