216.73.216.86

CVE-2026-45062

· Published 10/06/2026 18:16 · Modified 11/06/2026 14:16

Labels: CVE-2026-45062 2026-06-10CVE-2026-45062CWE-20[email protected]

Essential information

Published
10/06/2026 18:16
Modified
11/06/2026 14:16
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
frankenphp / frankenphp cpe:2.3:a:frankenphp:frankenphp:1.11.2-1.12.3:*:*:*:*:*:*:*

References