Github.Com Dunglas Frankenphp vulnerabilities

CVE-2026-24894 [HIGH] CWE-269 FrankenPHP leaks session data between requests in worker mode FrankenPHP leaks session data between requests in worker mode ### Summary When running FrankenPHP in **worker mode**, the `$_SESSION` superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the `$_SESSION` data of the previous request (potentially belonging to a different user) before `session_start()` is called. ### Details In stand

CVE-2026-24895 [HIGH] CWE-180 FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP ### Summary FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding `.php`) on a lowercased copy of the reques

[HIGH] CWE-1395 FrankenPHP has delayed propagation of security fixes in upstream base images FrankenPHP has delayed propagation of security fixes in upstream base images # Delayed propagation of security fixes in upstream base images ## Summary **Vulnerability in base Docker images (PHP, Go, and Alpine) not automatically propagating to FrankenPHP images.** FrankenPHP's container images were previously built only when specific version tags were updated or when manual triggers were initiated.