PT-2026-41391 · Unknown · Frankenphp
Published
2026-05-15
·
Updated
2026-06-25
·
CVE-2026-45062
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FrankenPHP versions 1.11.2 through 1.12.2
Description
An unsafe Unicode handling flaw exists in the CGI path splitting process. The
splitPos() function in cgi.go incorrectly uses the golang.org/x/text/search library with search.IgnoreCase when processing request paths containing non-ASCII bytes. This leads to two distinct issues: a control-flow error where a stale match variable can cause non-PHP files to be treated as PHP scripts, and a Unicode equivalence issue where non-ASCII lookalikes (such as full-width or circled characters) are folded into ASCII characters, misleading the system into identifying a file as a .php script.In environments where an attacker can upload or place files on the server, these flaws can be exploited by crafting a specific URL path to trigger the bypass, potentially leading to remote code execution (RCE) without authentication.
Recommendations
Update FrankenPHP to version 1.12.3.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Frankenphp