CVE-2026-42552

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1

Description The default error handler Engine:: error() writes the full exception message, exception code, and stack trace, including absolute filesystem paths, directly into the HTTP 500 response without debug gating. This leads to the disclosure of internal paths, secrets interpolated into exception messages, and the full module structure. Such information can be used to facilitate other attacks, such as Local File Inclusion (LFI) or path traversal.

Recommendations Update to version 3.18.1. As a temporary workaround, restrict access to the Engine:: error() function or implement custom error handling to prevent verbose output in production environments.