VYPR
High severity8.1GHSA Advisory· Published Jun 10, 2026· Updated Jun 11, 2026

CVE-2026-45062

CVE-2026-45062

Description

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/dunglas/frankenphpGo
>= 1.11.2, < 1.12.31.12.3

Affected products

1

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.