CVE-2026-24895
Unicode Handling Flaw in FrankenPHP CGI Enables File Execution Mismatch
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | frankenphp | to 1.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-180 | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24895 is a high-severity security vulnerability in FrankenPHP versions prior to 1.11.2 caused by improper handling of Unicode characters during CGI path splitting.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the function that locates the ".php" extension in a request path lowercases the path to find the extension position, but certain Unicode characters expand in byte length when lowercased. This causes the computed index to not align correctly with the original path.'}, {'type': 'paragraph', 'content': 'As a result, FrankenPHP may incorrectly compute SCRIPT_NAME and SCRIPT_FILENAME, potentially executing files other than those intended by the URI.'}, {'type': 'paragraph', 'content': 'For example, an attacker can craft a path with multiple special Unicode characters before ".php" to trick the server into treating a non-PHP file (like a .txt file) as a PHP script, enabling execution of arbitrary files.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to a security boundary bypass and path confusion, allowing remote code execution (RCE).
An attacker can upload malicious files with non-PHP extensions and craft requests containing specific Unicode characters to trick FrankenPHP into executing these files as PHP scripts.
This can result in unauthorized execution of arbitrary code on the server, potentially compromising the entire system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for requests containing specific multi-byte Unicode characters, such as U+023A "Ⱥ", in URL paths before ".php" extensions. Such crafted requests may cause FrankenPHP to execute unintended files.'}, {'type': 'paragraph', 'content': 'Detection involves inspecting web server logs or network traffic for suspicious URL paths that include these Unicode characters, especially multiple occurrences of "Ⱥ" or similar characters that expand in byte length when lowercased.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use tools like grep or network monitoring utilities to search for these characters in logs or traffic. For example:'}, {'type': 'list_item', 'content': "grep -P '\\xC8\\xBA' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'Ⱥ'"}, {'type': 'paragraph', 'content': 'These commands search for the UTF-8 byte sequence of "Ⱥ" in logs or live traffic, helping identify potentially malicious requests exploiting the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading FrankenPHP to version 1.11.2 or later, where the vulnerability is fixed by implementing Unicode-aware, case-insensitive path splitting.
Additionally, store user-uploaded files outside the public document root to prevent unauthorized execution of malicious files.
Implement strict web application firewall (WAF) rules to block requests containing problematic multi-byte Unicode characters in URL paths, especially those that can cause path confusion.