Remote Code Execution Vulnerability in FrankenPHP by PHP
CVE-2026-45062

8.1HIGH

Key Information:

Vendor

PHP

Vendor
CVE Published:
10 June 2026

What is CVE-2026-45062?

FrankenPHP, a modern application server for PHP, has a vulnerability in its splitPos() function located in cgi.go, affecting versions up to 1.12.2. This flaw arises from mishandling non-ASCII bytes when utilizing the golang.org/x/text/search module. An attacker can exploit this vulnerability, leading FrankenPHP to incorrectly recognize a non-.php file as a .php script. In environments where an attacker has the ability to upload files or manage content, this can result in remote code execution by manipulating URL paths. The issue has been resolved in version 1.12.3.

Affected Version(s)

frankenphp >= 1.11.2, < 1.12.3

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.