Php Frankenphp vulnerabilities

CVE-2026-24894 [HIGH] CWE-269 CVE-2026-24894: FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worke FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_star

CVE-2026-24895 [HIGH] CWE-180 CVE-2026-24895: FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can incre