Description
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38
Patch x_refsource_misc
https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e
Release Notes x_refsource_misc
https://github.com/php/frankenphp/releases/tag/v1.11.2
Scores
CVSS v3
9.8
EPSS
0.0008
EPSS Percentile
23.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-180
Status
published
Products (2)
dunglas/frankenphp
0 - 1.11.2Go
php/frankenphp
< 1.11.2
Published
Feb 12, 2026
Tracked Since
Feb 18, 2026