Security Flaw in Flight Micro-Framework for PHP Affecting Data Integrity
CVE-2026-42551

7.5HIGH

Key Information:

Vendor: FlightPHP
Status: Core
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42551?

The Flight micro-framework for PHP contains a significant vulnerability within the Request::getMethod() function. This vulnerability allows for improper handling of HTTP methods through the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter. Specifically, it permits unsafe HTTP methods to be executed under the guise of safer methods, such as GET requests, without any validation or configured whitelist. This opens the door for Cross-Site Request Forgery (CSRF) attacks, enabling malicious actors to perform destructive actions or manipulate data on the server. Additionally, it may lead to middleware being bypassed and creates opportunities for cache poisoning between content delivery networks and the origin server. Users are strongly advised to update to version 3.18.1 or later to mitigate this risk.

Affected Version(s)

core < 3.18.1

References

https://github.com/flightphp/core/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42551 Data

JSON

FlightPHP

What is CVE-2026-42551?

Affected Version(s)

References

CVSS V3.1

Timeline