The vulnerability in Flight’s make:controller command builds a file path directly from user‑supplied input and immediately calls mkdir recursively before the framework’s class‑name validator runs. The mkdir call can therefore create directories that reside outside the intended project root when the input contains path traversal elements such as "../". Because the subsequent write of the controller file is blocked by the validation, no code is directly injected, but the side effect of the directory creation can be leveraged to place benign or malicious files in locations that may be accessed later, potentially aiding future attacks or accidental modifications.

Any installation of FlightPHP core running a version earlier than 3.18.1 is affected. The fix is included in 3.18.1 and later releases where the directory creation step is guarded by the class‑name validation.

The CVSS score of 4.4 indicates a moderate level of risk and the vulnerability is not listed in CISA’s KEV catalog, with no EPSS information available. Based on the description, it is inferred that an attacker needs local access to execute the make:controller command through the application’s command‑line interface. Once that access is achieved, the attacker can create arbitrary directories relative to the installation path, but cannot create files within them due to the validation check. While this does not grant immediate code execution or higher privileges, the ability to fabricate directories can serve as a foothold for subsequent attacks, such as placing configuration files or scripts that might later be executed if further vulnerabilities or permission misconfigurations exist. The primary attack vector is thus local privilege exploitation via the CLI.