CVE-2026-24895 – This vulnerability in FrankenPHP allows an atta... (How to Fix)

Q: What is the severity of CVE-2026-24895?

CVE-2026-24895 has a CVSS score of 9.8 (CRITICAL). This vulnerability in FrankenPHP allows an attacker to manipulate Unicode characters in request paths to cause the server to execute unintended PHP files, potentially leading to arbitrary code execution. It affects FrankenPHP versions prior to 1.11.2, impacting any system using the vulnerable CGI path splitting logic. Users running FrankenPHP with default configurations are at risk if exposed to malicious HTTP requests.

📋 TL;DR

This vulnerability in FrankenPHP allows an attacker to manipulate Unicode characters in request paths to cause the server to execute unintended PHP files, potentially leading to arbitrary code execution. It affects FrankenPHP versions prior to 1.11.2, impacting any system using the vulnerable CGI path splitting logic. Users running FrankenPHP with default configurations are at risk if exposed to malicious HTTP requests.

💻 Affected Systems

Products:

FrankenPHP

Versions: All versions prior to 1.11.2

Operating Systems: All operating systems where FrankenPHP runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in the CGI path handling logic; no special configuration is required to be exploitable.

📦 What is this software?

Frankenphp by Php

View all CVEs affecting Frankenphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary PHP code on the server, leading to full system compromise, data theft, or service disruption.

🟠

Likely Case

Attackers may exploit this to read sensitive files, execute limited commands, or bypass access controls, depending on server configuration.

🟢

If Mitigated

With proper input validation and file permissions, impact may be limited to denial-of-service or information disclosure.

🌐 Internet-Facing: HIGH, as it can be exploited via unauthenticated HTTP requests to publicly accessible endpoints.

🏢 Internal Only: MEDIUM, as internal attackers or compromised systems could exploit it, but requires network access to the FrankenPHP service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting HTTP requests with specific Unicode characters; no authentication is needed, but success depends on server file structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.2

Vendor Advisory: https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38

Restart Required: Yes

Instructions:

1. Update FrankenPHP to version 1.11.2 or later using your package manager or by downloading from the official release. 2. Restart the FrankenPHP service to apply the fix.

🔧 Temporary Workarounds

Disable CGI mode if possible

all

Switch to a different PHP execution mode (e.g., FastCGI) if supported, to bypass the vulnerable path splitting logic.

Modify FrankenPHP configuration to use a non-CGI handler.

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize Unicode characters in request paths.
Restrict file permissions and use application firewalls to block suspicious HTTP requests targeting PHP files.

🔍 How to Verify

Check if Vulnerable:

Check the FrankenPHP version; if it is below 1.11.2, the system is vulnerable. Review logs for unusual Unicode characters in request paths.

Check Version:

frankenphp --version or check the service output for version information.

Verify Fix Applied:

After updating, confirm the version is 1.11.2 or higher and test with crafted requests containing Unicode characters to ensure proper file execution.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with unusual Unicode sequences (e.g., characters like Ⱥ) in the URI path, especially targeting .php files.

Network Indicators:

Unusual spikes in requests to PHP endpoints with encoded or malformed paths.

SIEM Query:

source="frankenphp_logs" AND uri_path=*%* AND uri_path=*.php*

📊 Metadata

CVE ID: CVE-2026-24895

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-180

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e Patch
https://github.com/php/frankenphp/releases/tag/v1.11.2 Release Notes
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38 Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24895, you might also want to check these: