CVE-2026-45062

HIGH 8.1

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.

CWE	CWE-20 CWE-176 CWE-178
Vendor	php
Product	frankenphp
Ecosystems	PHP Web
Industries	Technology
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for php frankenphp

Be the first to know when new high vulnerabilities affecting php frankenphp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

php / frankenphp

>= 1.11.2, < 1.12.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm github.com: https://github.com/php/frankenphp/releases/tag/v1.12.3