Information Disclosure in Flight Micro-Framework by Flight
CVE-2026-42552

7.5HIGH

Key Information:

Vendor: FlightPHP
Status: Core
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42552?

The Flight micro-framework for PHP, prior to version 3.18.1, contains an information disclosure vulnerability. The default error handler Engine::_error() exposes sensitive internal details by outputting the complete exception message, including the exception code and stack trace, directly in the HTTP 500 response. This flaw can occur without proper debugging controls, potentially revealing internal filesystem paths and secrets within exception messages. Attackers can exploit this information to string together further attacks, such as Local File Inclusion (LFI) and path traversal, thereby compromising the security of production environments.

Affected Version(s)

core < 3.18.1

References

https://github.com/flightphp/core/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42552 Data

JSON

FlightPHP

What is CVE-2026-42552?

Affected Version(s)

References

CVSS V3.1

Timeline