HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45062Published Modified CNA GitHub_M

CVE-2026-45062: FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unsafe Unicode handling flaw in FrankenPHP's CGI path-splitting logic allows a remote attacker to trick the server into executing non-PHP files as PHP scripts. The vulnerability is reachable over the network without any authentication, though exploitation requires overcoming moderate complexity (an attacker must also be able to place content into a file served by FrankenPHP). Successful exploitation gives the attacker full remote code execution on the host, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 1.12.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45062 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FrankenPHP 1.11.2 through 1.12.2.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (High) and weighting that score against each environment's compliance policy to surface it at the appropriate priority; routing to the correct team inbox within each customer org is handled automatically based on configured ownership rules.

Available
Patch

Because this CVE has a confirmed fix in version 1.12.3, a patched-image rebuild at that version is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the FrankenPHP service over the network; the vulnerable path-parsing code is exercised on incoming HTTP requests.

  • AuthenticationNot required

    No credentials or account are needed; the malicious request can be sent by any unauthenticated client.

  • Victim interactionNot required

    No user action is required; the attacker sends a crafted HTTP request directly to the server.

  • Attack complexityDetail

    Exploitation is rated High complexity because the attacker must also control a file served by FrankenPHP (for example via an upload endpoint) and craft a URL path containing a non-ASCII byte sequence that triggers the Unicode fallback flaw.

Blast Radius

  • Attacker achieves remote code execution by causing FrankenPHP to interpret an attacker-supplied file as a PHP script, running arbitrary server-side code under the web server's process identity.
  • Arbitrary code execution gives read access to application secrets, environment variables, database credentials, and any files readable by the server process.
  • The attacker can write or overwrite files on the server, modify application data, or plant a persistent web shell.
  • The server process can be crashed or exhausted, taking down the FrankenPHP application and any services it backs.

How HarborGuard Handles This

Available on HarborGuard: any image containing FrankenPHP 1.11.2 through 1.12.2 is flagged immediately on CVE ingestion. A patched-image rebuild at version 1.12.3 is available for affected environments. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute the configured regression-test suite, and open a PR against affected workloads; for High-severity CVEs with a published fix, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where auto-remediation is not enabled, the rebuilt image is staged and the finding is routed to the team inbox so engineers can review and promote it manually. Until a patched image is deployed, compensating controls include network-policy rules that restrict which clients can reach the FrankenPHP service, disabling or tightly restricting any file-upload or user-controlled file-write endpoints, and auditing served directories to ensure no attacker-writable paths exist.

See how HarborGuard automates this
Affected packages
  • php / frankenphp
    >= 1.11.2, < 1.12.3
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References