{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T01:02:56.203","vulnerabilities":[{"cve":{"id":"CVE-2026-24895","sourceIdentifier":"security-advisories@github.com","published":"2026-02-12T20:16:10.170","lastModified":"2026-02-20T18:30:00.857","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2."},{"lang":"es","value":"FrankenPHP es un moderno servidor de aplicaciones para PHP. Antes de 1.11.2, la lógica de división de rutas CGI de FrankenPHP maneja incorrectamente los caracteres Unicode durante la conversión de mayúsculas y minúsculas. La lógica calcula el índice de división (para encontrar .php) en una copia en minúsculas de la ruta de la solicitud, pero aplica ese índice de bytes a la ruta original. Debido a que strings.ToLower() en Go puede aumentar la longitud en bytes de ciertos caracteres UTF-8 (por ejemplo, ? se expande al convertirse a minúsculas), el índice calculado puede no alinearse con la posición correcta en la cadena original. Esto resulta en un SCRIPT_NAME y SCRIPT_FILENAME incorrectos, potencialmente causando que FrankenPHP ejecute un archivo diferente al previsto por la URI. Esta vulnerabilidad está corregida en 1.11.2."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.9,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-180"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*","versionEndExcluding":"1.11.2","matchCriteriaId":"E2C3D161-7DC3-4241-9EBA-481806A802B5"}]}]}],"references":[{"url":"https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/php/frankenphp/releases/tag/v1.11.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38","source":"security-advisories@github.com","tags":["Vendor Advisory","Exploit"]}]}}]}