CVE-2026-24895

{"id": "CVE-2026-24895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T20:16:10.170", "references": [{"url": "https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-180"}]}], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP\u2019s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., \u023a expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."}, {"lang": "es", "value": "FrankenPHP es un moderno servidor de aplicaciones para PHP. Antes de 1.11.2, la l\u00f3gica de divisi\u00f3n de rutas CGI de FrankenPHP maneja incorrectamente los caracteres Unicode durante la conversi\u00f3n de may\u00fasculas y min\u00fasculas. La l\u00f3gica calcula el \u00edndice de divisi\u00f3n (para encontrar .php) en una copia en min\u00fasculas de la ruta de la solicitud, pero aplica ese \u00edndice de bytes a la ruta original. Debido a que strings.ToLower() en Go puede aumentar la longitud en bytes de ciertos caracteres UTF-8 (por ejemplo, ? se expande al convertirse a min\u00fasculas), el \u00edndice calculado puede no alinearse con la posici\u00f3n correcta en la cadena original. Esto resulta en un SCRIPT_NAME y SCRIPT_FILENAME incorrectos, potencialmente causando que FrankenPHP ejecute un archivo diferente al previsto por la URI. Esta vulnerabilidad est\u00e1 corregida en 1.11.2."}], "lastModified": "2026-02-20T18:30:00.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2C3D161-7DC3-4241-9EBA-481806A802B5", "versionEndExcluding": "1.11.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}