PT-2026-41391 · Unknown · Frankenphp

Published

2026-05-15

·

Updated

2026-06-25

·

CVE-2026-45062

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FrankenPHP versions 1.11.2 through 1.12.2
Description An unsafe Unicode handling flaw exists in the CGI path splitting process. The splitPos() function in cgi.go incorrectly uses the golang.org/x/text/search library with search.IgnoreCase when processing request paths containing non-ASCII bytes. This leads to two distinct issues: a control-flow error where a stale match variable can cause non-PHP files to be treated as PHP scripts, and a Unicode equivalence issue where non-ASCII lookalikes (such as full-width or circled characters) are folded into ASCII characters, misleading the system into identifying a file as a .php script.
In environments where an attacker can upload or place files on the server, these flaws can be exploited by crafting a specific URL path to trigger the bypass, potentially leading to remote code execution (RCE) without authentication.
Recommendations Update FrankenPHP to version 1.12.3.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45062
GHSA-3G8V-8R37-CGJM
GO-2026-5084

Affected Products

Frankenphp