VYPR

Frankenphp

by PHP

Source repositories

CVEs (3)

  • CVE-2026-45062HigJun 10, 2026
    risk 0.46cvss 8.1epss 0.01

    FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an…

  • CVE-2026-24895Feb 12, 2026
    risk 0.00cvss epss 0.01

    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies…

  • CVE-2026-24894Feb 12, 2026
    risk 0.00cvss epss 0.00

    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the…