FrankenPHP 1.11.21.12.2 RCE via splitPos() Path Misinterpretation
CVE-2026-45062 Published on June 10, 2026
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
Vulnerability Analysis
CVE-2026-45062 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Improper Handling of Unicode Encoding
The software does not properly handle when an input contains Unicode encoding.
Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Products Associated with CVE-2026-45062
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
