CVE-2026-24895Incorrect Behavior Order: Validate Before Canonicalize in Dunglas Frankenphp

CWE-180Incorrect Behavior Order: Validate Before CanonicalizeCWE-20Improper Input Validation5 documents4 sources
Severity
8.9HIGHNVD
EPSS
0.1%
top 76.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Dunglas FrankenphpPHP Frankenphp
Timeline
PublishedFeb 12
Latest updateFeb 17

Description

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in t

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDphp/frankenphp< 1.11.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP in github.com/dunglas/frankenphp2026-02-17
OSV
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP2026-02-12
GHSA
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP2026-02-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-24895 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-24895 — Dunglas Frankenphp vulnerability | cvebase