EXECUTIVE SUMMARY:
CVE-2026-45062 with a CVSS score of 8.1 is a remote code execution vulnerability affecting go/github.com/dunglas/frankenphp versions 1.11.2 through 1.12.2. The issue arises from the `splitPos()` function in `cgi.go`, which misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a non-ASCII byte, leading to two distinct flaws: a stale `match` variable after an inner non-ASCII fallback and Unicode equivalence matching that folds non-ASCII lookalikes onto ASCII. An attacker can exploit this by crafting a URL whose path triggers either flaw, allowing them to execute non-PHP files and potentially leading to remote code execution. This capability can result in severe business impact and consequences, including unauthorized access to sensitive data and potentially leading to system compromise, data breaches, or unauthorized remote code execution. The attacker requires access to upload or store files that can be served by FrankenPHP, and the prerequisite condition necessary for exploitation is the presence of a non-ASCII byte in the request path.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45062 with a CVSS score of 8.1 is a remote code execution vulnerability affecting go/github.com/dunglas/frankenphp versions 1.11.2 through 1.12.2. The issue arises from the `splitPos()` function in `cgi.go`, which misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a non-ASCII byte, leading to two distinct flaws: a stale `match` variable after an inner non-ASCII fallback and Unicode equivalence matching that folds non-ASCII lookalikes onto ASCII. An attacker can exploit this by crafting a URL whose path triggers either flaw, allowing them to execute non-PHP files and potentially leading to remote code execution. This capability can result in severe business impact and consequences, including unauthorized access to sensitive data and potentially leading to system compromise, data breaches, or unauthorized remote code execution. The attacker requires access to upload or store files that can be served by FrankenPHP, and the prerequisite condition necessary for exploitation is the presence of a non-ASCII byte in the request path.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3g8v-8r37-cgjm