CVE-2026-45062: FrankenPHP Remote Code Execution via Non-ASCII Path Handling
FrankenPHP, a PHP application server, contains a critical flaw in how it processes file extensions when request paths include non-ASCII characters. Versions 1.11.2 through 1.12.2 are vulnerable to an attack where an attacker can trick FrankenPHP into executing a non-PHP file as if it were PHP code. If your deployment allows file uploads or stores user-controlled content, an attacker could upload a malicious file and then craft a specially-formed URL to trigger code execution on your server. The vulnerability has been fixed in version 1.12.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-176, CWE-178, CWE-20
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from misuse of golang.org/x/text/search with the IgnoreCase option in the splitPos() function within cgi.go. When a request path contains non-ASCII bytes, the case-insensitive search logic fails to correctly identify file extensions, creating two distinct attack pathways. Both flaws allow an attacker to cause FrankenPHP to interpret non-.php files as PHP executables. The issue is classified under CWE-176 (Improper Handling of Unicode Encoding), CWE-178 (Improper Handling of Case Sensitivity), and CWE-20 (Improper Input Validation), reflecting the root cause in encoding and validation logic.
Business impact
For organizations running FrankenPHP in production, this vulnerability poses a severe risk. Any attacker who can place files on your server—through uploads, content management systems, file storage integrations, or other mechanisms—can achieve remote code execution. This could lead to data theft, system compromise, malware installation, or lateral movement within your infrastructure. The high CVSS score (8.1) reflects the ease of exploitation in environments where user file uploads are permitted, combined with the critical nature of code execution.
Affected systems
FrankenPHP versions 1.11.2 through 1.12.2 are affected. Version 1.12.3 and later contain the patch. Organizations should audit their deployment documentation or run `frankenphp --version` to determine if they are running a vulnerable release. This vulnerability affects all deployments regardless of operating system or hosting environment.
Exploitability
The vulnerability requires network access and the ability to place a file on the server, but does not require authentication or user interaction. An attacker must craft a malicious request URL that exploits the non-ASCII byte handling logic; the CVSS vector (AC:H) indicates moderate attack complexity, likely due to the need to identify or craft the correct payload. In real-world scenarios where uploads are enabled, exploitability is straightforward once an attacker understands the flaw.
Remediation
Upgrade FrankenPHP to version 1.12.3 or later immediately. This is a straightforward patch that corrects the splitPos() function logic. Before upgrading, consider restricting file uploads, validating uploaded file types strictly, or isolating FrankenPHP instances that accept user uploads. After patching, verify your deployment and monitor logs for any suspicious file requests using non-ASCII characters.
Patch guidance
Update to FrankenPHP version 1.12.3 or any subsequent release. Consult the official FrankenPHP release notes and installation documentation at the project repository for upgrade procedures specific to your deployment method (Docker, standalone binary, or compiled from source). Test the upgrade in a non-production environment first to ensure compatibility with your application stack. If you are on version 1.12.2 or earlier, prioritize this upgrade within your change management process.
Detection guidance
Monitor access logs for HTTP requests with non-ASCII characters in the path, especially those attempting to access or execute files with suspicious extensions. Look for patterns where requests reference files that are not .php but are followed by URL paths or parameters designed to trigger execution. Intrusion detection systems can be configured to alert on requests with encoded non-ASCII bytes (e.g., %xx patterns) targeting known upload directories. If you suspect exploitation, review recent file uploads and check for unexpected PHP execution or suspicious process activity on the server.
Why prioritize this
This vulnerability merits immediate remediation due to its combination of high impact (remote code execution) and practical exploitability in common deployment scenarios. The relatively low attack complexity (in realistic upload scenarios) and the ability to cause severe damage (confidentiality, integrity, and availability compromise) make it a priority for any security team. Organizations that allow file uploads should treat this as critical.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible vulnerability requiring moderate attack complexity, with no privilege escalation or special conditions, that results in complete compromise of confidentiality, integrity, and availability. The score appropriately captures the severity of remote code execution; the 'AC:H' modifier acknowledges that successful exploitation requires crafting a specific payload, but does not reduce urgency given the prevalence of file upload features in modern web applications.
Frequently asked questions
Can we safely run FrankenPHP 1.12.2 if we disable file uploads?
Disabling file uploads significantly reduces risk, but does not eliminate it entirely—the vulnerability exists in the core request path parsing logic and could theoretically be exploited if any mechanism allows file placement on the server (e.g., through deployment processes, cron jobs, or shared storage). Upgrade to 1.12.3 rather than relying on mitigations.
Do we need to rotate credentials or conduct a forensic investigation if we were running a vulnerable version?
If your FrankenPHP instance was exposed to untrusted networks and accepts uploads, assume potential compromise. Review logs from the version's deployment date through the present for suspicious file access or execution. Rotate credentials, inspect recent uploads, and check for persistence mechanisms. Engage incident response if you discover unauthorized activity.
Does this affect FrankenPHP deployments that only serve static files?
If FrankenPHP is configured solely to serve static files with no PHP execution enabled, the practical risk is lower. However, if there is any possibility of PHP execution (including through misconfiguration), the vulnerability remains a concern. Verify your configuration and upgrade regardless to eliminate the risk entirely.
What's the difference between the two flaws mentioned in the description?
The vulnerability leverages two distinct misuses of the golang.org/x/text/search API when processing non-ASCII bytes—both cause incorrect file extension detection. The exact details of each flaw are not disclosed to prevent premature exploitation; upgrading to 1.12.3 patches both pathways.
This analysis is based on the published CVE description and CVSS assessment as of the modification date. Readers should verify all patch version numbers, affected versions, and remediation steps against official vendor advisories and release notes before taking action. SEC.co does not guarantee the completeness or applicability of this guidance to every deployment; consult your security team and the FrankenPHP maintainers for environment-specific advice. No exploit code or weaponized proof-of-concept is provided; this content is intended for defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44367LOWKlaw Username Case Sensitivity DoS and Account Lockout
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-0419HIGHNETGEAR JR6150 Command Injection via Insufficient Input Validation
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution