๐Ÿ” CVE Alert

CVE-2026-57584

UNKNOWN 0.0

Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS

CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
34th

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.

CWE CWE-1333
Vendor phalcon
Product cphalcon
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for phalcon cphalcon

Be the first to know when new unknown vulnerabilities affecting phalcon cphalcon are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

phalcon / cphalcon
< 5.15.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/phalcon/cphalcon/security/advisories/GHSA-x7rj-f32v-7jjg github.com: https://github.com/phalcon/cphalcon/commit/14ba22d389d5ca620bb9d5207205f836ef1224f2 github.com: https://github.com/phalcon/cphalcon/commit/fa798e919cb2c487062bb9899ad6fc2b673b3a67 github.com: https://github.com/phalcon/cphalcon/releases/tag/v5.15.0