Description
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
Published: 2026-06-10
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FrankenPHP’s splitPos() routine that tokenizes CGI request paths misuses a case‑insensitive search when a non‑ASCII byte is present. This causes the engine to misclassify a file that is not a .php script as a PHP script. An attacker who can write a file to a directory served by FrankenPHP can therefore craft a URL whose path triggers either of the two fallback flaws, resulting in the server executing the file as PHP code. The consequence is full remote code execution, allowing an attacker to compromise confidentiality, integrity, and availability of the entire application or system.

Affected Systems

The vulnerability affects the php:frankenphp product in versions from 1.11.2 up to, but not including, 1.12.3. Any deployment where an adversary can place or modify content in a file served by FrankenPHP (for example via user uploads, file storage mechanisms, or externally editable directories) is susceptible.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is considered High severity. No EPSS data is available, so the likely exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Attackers need the ability to upload or otherwise place a file into the server’s file system and then reference that file in the URL; the path manipulation is performed entirely locally on the request, so network exposure is not required beyond normal HTTP traffic. Given the high severity and the capability for remote code execution, the risk to affected infrastructures is significant.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FrankenPHP to version 1.12.3 or later, which contains a fixed splitPos() implementation.
  • If an immediate patch is not possible, revoke write permissions on directories that can be served by FrankenPHP and/or move user‑supplied files to a separate storage location that is not directly processed as PHP scripts.
  • Configure upload handlers to reject files that contain non‑ASCII characters in their filenames or enforce strict MIME type checks, ensuring only valid PHP source files are accepted.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g8v-8r37-cgjm FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php frankenphp
Vendors & Products Php
Php frankenphp

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
Title FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
Weaknesses CWE-176
CWE-178
CWE-20
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Php Frankenphp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T17:38:42.454Z

Reserved: 2026-05-08T18:45:10.095Z

Link: CVE-2026-45062

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:16:57.077

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-45062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses