CVE-2026-27590

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1 FrankenPHP versions prior to 1.11.2

Description Caddy and FrankenPHP are vulnerable to a path confusion issue due to incorrect handling of Unicode characters during case conversion in the FastCGI path splitting logic. The software computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower() can change UTF-8 byte length for some characters, leading to an incorrect SCRIPT NAME/SCRIPT FILENAME and PATH INFO. This can cause a request containing .php to execute a different on-disk file than intended. In setups where an attacker can control file contents, this can lead to unintended PHP execution of non-.php files, potentially resulting in remote code execution (RCE). The issue stems from the use of the splitPos() function, which calculates the split index based on the byte length of the lowercased path, and then applies this index to the original path. This can lead to a mismatch when Unicode characters that expand when lowercased are present in the path.

Recommendations Caddy versions prior to 2.11.1: Upgrade to version 2.11.1 or later. FrankenPHP versions prior to 1.11.2: Upgrade to version 1.11.2 or later.