CVE-2026-45062
Deferred Deferred - Pending Action

Path Traversal in FrankenPHP Leading to RCE

Vulnerability report for CVE-2026-45062, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-07
AI Q&A
2026-06-10
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
frankenphp frankenphp From 1.11.2 (inc) to 1.12.3 (exc)
php frankenphp From 1.11.2 (inc) to 1.12.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-176 The product does not properly handle when an input contains Unicode encoding.
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-45062 allows an attacker to execute arbitrary code remotely by exploiting unsafe Unicode handling in FrankenPHP, potentially leading to a full compromise of the application server.

Such a compromise could result in unauthorized access to sensitive data, which may violate data protection regulations like GDPR or HIPAA if personal or protected health information is exposed or manipulated.

Therefore, organizations using affected versions of FrankenPHP without applying the patch risk non-compliance with these standards due to potential data breaches or loss of data integrity.

Executive Summary

CVE-2026-45062 is a vulnerability in FrankenPHP versions 1.11.2 to before 1.12.3 involving unsafe Unicode handling in the CGI path splitting function called splitPos().

The flaw arises from two issues: a control-flow error where a stale match variable remains true after encountering non-ASCII bytes, and Unicode equivalence problems caused by using search.IgnoreCase, which folds non-ASCII characters into ASCII equivalents.

These issues allow an attacker to trick FrankenPHP into treating non-.php files as .php scripts by crafting URLs with specific Unicode payloads, bypassing file extension checks.

If the attacker can place files on the server (e.g., via uploads or file storage), this can escalate to remote code execution without authentication.

Impact Analysis

This vulnerability can have severe impacts, including allowing an attacker to execute arbitrary code remotely on the FrankenPHP server.

An attacker who can upload or place files on the server can craft URLs that cause non-PHP files to be executed as PHP scripts, leading to full compromise of the FrankenPHP process.

The CVSS score of 8.1 (High) reflects the critical nature of this vulnerability, as it can lead to complete control over the affected application server.

Detection Guidance

This vulnerability can be detected by monitoring for requests containing URLs with crafted Unicode payloads that exploit the unsafe Unicode handling in the CGI path splitting function. Specifically, look for requests with file names using Unicode lookalike characters such as `shellοΉ’php` or `shell.php` which bypass normal .php extension checks.

On the system or network, detection involves inspecting web server logs or traffic for suspicious URL patterns that include non-ASCII characters in file extensions that should be .php files.

Example commands to detect such attempts could include using grep or similar tools to search logs for suspicious Unicode characters in URLs:

  • grep -P '[\x{FF0E}\x{FF61}]php' /var/log/nginx/access.log
  • grep -P '[.q]php' /var/log/apache2/access.log

These commands search for Unicode full stop characters (such as U+FF0E or U+FF61) used in place of the ASCII dot in .php extensions, which are indicators of exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade FrankenPHP to version 1.12.3 or later, where the vulnerability has been patched by removing the unsafe Unicode fallback in the CGI path splitting function.

Until the upgrade can be applied, restrict or sanitize any user-controlled file uploads or file storage locations served by FrankenPHP to prevent attacker-controlled filenames that could exploit this vulnerability.

Additionally, monitor and block suspicious requests containing Unicode lookalike characters in URLs to reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart