Description
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flight, an extensible micro‑framework for PHP, contains a reflected cross‑site scripting flaw in its JSONP handling. The implementation concatenates the ?jsonp= query value directly into a JavaScript response without validating that it is a legal identifier, allowing an attacker to inject arbitrary code that executes in the context of the receiving browser. This can lead to session hijacking, credential theft, defacement, or other client‑side compromise. The weakness is classified as CWE‑79, reflected XSS.

Affected Systems

The flaw affects the FlightPHP core micro‑framework for PHP. All versions released before 3.18.1 are vulnerable; fixes are included in release 3.18.1 and later. Users of older releases must verify their current version and plan a corrective change accordingly.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability that can be exploited remotely. EPSS data is not available and the flaw is not listed in the KEV catalog, but the lack of protection allows an attacker to craft a URL with an arbitrary callback name (e.g., ?jsonp=alert(1)) that will run in any victim’s browser. Since no authentication is required and the payload can be embedded in a link, the exploitation path is trivially achievable for malicious actors or automated scanners.

Generated by OpenCVE AI on May 13, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flight::core version 3.18.1 or later.
  • If an upgrade is not possible, sanitize the JSONP callback parameter so it contains only a valid JavaScript identifier, or disable JSONP support entirely on vulnerable endpoints.
  • Deploy a Web Application Firewall or enforce a Content Security Policy that blocks unexpected script execution from JSONP responses.

Generated by OpenCVE AI on May 13, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcx8-ph5r-mxr4 Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()
History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Flightphp
Flightphp core
Vendors & Products Flightphp
Flightphp core

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1.
Title Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Flightphp Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:32:32.147Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42548

cve-icon Vulnrichment

Updated: 2026-05-14T12:32:28.944Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T20:16:21.787

Modified: 2026-05-14T16:51:08.300

Link: CVE-2026-42548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:41Z

Weaknesses