Remote Code Execution Vulnerability in FrankenPHP by PHP
CVE-2026-45062
8.1HIGH
What is CVE-2026-45062?
FrankenPHP, a modern application server for PHP, has a vulnerability in its splitPos() function located in cgi.go, affecting versions up to 1.12.2. This flaw arises from mishandling non-ASCII bytes when utilizing the golang.org/x/text/search module. An attacker can exploit this vulnerability, leading FrankenPHP to incorrectly recognize a non-.php file as a .php script. In environments where an attacker has the ability to upload files or manage content, this can result in remote code execution by manipulating URL paths. The issue has been resolved in version 1.12.3.
Affected Version(s)
frankenphp >= 1.11.2, < 1.12.3