Directory Traversal Vulnerability in Flight Micro-Framework for PHP
CVE-2026-42549

4.4MEDIUM

Key Information:

Vendor: FlightPHP
Status: Core
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42549?

The Flight micro-framework for PHP has a vulnerability in its make:controller CLI command, allowing for directory traversal due to improper handling of user-supplied input. Before version 3.18.1, this command invoked mkdir with recursive creation, potentially allowing the creation of directories outside the intended project root. Although Nette's class-name validation prevents invalid character usage, the recursive nature of directory creation can lead to unauthorized directory access through paths like ../. This vulnerability highlights the importance of validating user input effectively to prevent unauthorized access to the file system.

Affected Version(s)

core < 3.18.1

References

https://github.com/flightphp/core/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42549 Data

JSON

FlightPHP

What is CVE-2026-42549?

Affected Version(s)

References

CVSS V3.1

Timeline