CVE-2026-24895

EUVD-2026-6699

12.02.2026, 20:16

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Affected Products (NVD)

Vendor	Product	Version
php	frankenphp	𝑥 < 1.11.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38

Common Weakness Enumeration

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

References

https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e

https://github.com/php/frankenphp/releases/tag/v1.11.2

https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38