{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/frankenphp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-24895"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["frankenphp"],"_cs_severities":["high"],"_cs_tags":["unicode","remote code execution","web server"],"_cs_type":"advisory","_cs_vendors":["dunglas"],"content_html":"\u003cp\u003eThe \u003ccode\u003esplitPos()\u003c/code\u003e function in \u003ca href=\"https://github.com/php/frankenphp/blob/main/cgi.go\"\u003e\u003ccode\u003ecgi.go\u003c/code\u003e\u003c/a\u003e in FrankenPHP versions 1.11.2 through 1.12.2 misuses \u003ccode\u003egolang.org/x/text/search\u003c/code\u003e with \u003ccode\u003esearch.IgnoreCase\u003c/code\u003e when a request path contains a non-ASCII byte. This can lead to two distinct flaws where an attacker can trick FrankenPHP into interpreting non-\u003ccode\u003e.php\u003c/code\u003e files as PHP scripts. In scenarios where an attacker has the ability to place content into files served by FrankenPHP, like upload endpoints or file storage services, this can be exploited to achieve remote code execution by crafting a specific URL that triggers either of the identified vulnerabilities. These vulnerabilities were reported by @KC1zs4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to upload or place files with arbitrary content and names into a directory served by FrankenPHP (e.g., via a file upload endpoint).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file with PHP code, giving it a name designed to exploit either of the \u003ccode\u003esplitPos()\u003c/code\u003e flaws (e.g., \u003ccode\u003eshell﹒php\u003c/code\u003e or \u003ccode\u003ename.¡.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the FrankenPHP server, targeting the uploaded file via a crafted URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esplitPos()\u003c/code\u003e function incorrectly identifies the path as a PHP file due to the Unicode equivalence or non-ASCII handling issues.\u003c/li\u003e\n\u003cli\u003eFrankenPHP sets the \u003ccode\u003eSCRIPT_FILENAME\u003c/code\u003e to the path of the attacker\u0026rsquo;s malicious file.\u003c/li\u003e\n\u003cli\u003eThe PHP interpreter processes the attacker-controlled file as a PHP script.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s PHP code executes within the FrankenPHP process, granting the attacker remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as reading sensitive data, writing files, or executing system commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution on systems running vulnerable versions of FrankenPHP. This is possible in scenarios where the attacker can upload or place files with predictable names into directories served by FrankenPHP. The impact is similar to CVE-2026-24895, but requires the ability to control file content and name. A successful attack can lead to complete compromise of the server, including data theft, modification, and denial of service. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H — High (8.1).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a FrankenPHP version beyond 1.12.2 where the vulnerable code has been removed.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to exploit this vulnerability using Unicode characters in the file path.\u003c/li\u003e\n\u003cli\u003eImplement strict file naming conventions and input validation to prevent the upload of files with non-ASCII characters in their names.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing Unicode characters or unusual file extensions that could indicate exploitation attempts, as shown in the detection rules below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:10:46Z","date_published":"2026-05-15T17:10:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-unsafe-unicode-frankenphp/","summary":"Two distinct flaws in the `splitPos()` function in `cgi.go` allows an attacker to mislead FrankenPHP into treating a non-`.php` file as a `.php` script, leading to remote code execution where the attacker can control file content.","title":"FrankenPHP Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files","url":"https://feed.craftedsignal.io/briefs/2026-05-unsafe-unicode-frankenphp/"}],"language":"en","title":"CraftedSignal Threat Feed — Frankenphp","version":"https://jsonfeed.org/version/1.1"}