PatchSiren cyber security CVE debrief
CVE-2026-45062 php CVE debrief
CVE-2026-45062 is a high-severity vulnerability in FrankenPHP, a modern application server for PHP. The vulnerability allows an attacker to mislead FrankenPHP into treating a non-.php file as a .php script, potentially leading to remote code execution. The issue was patched in version 1.12.3.
- Vendor
- php
- Product
- frankenphp
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of FrankenPHP, especially those who allow user-uploaded content or have file storage features, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. This can be exploited by an attacker to craft a URL that tricks FrankenPHP into executing a non-.php file as a .php script.
Defensive priority
High
Recommended defensive actions
- Upgrade to FrankenPHP version 1.12.3 or later.
- Restrict file uploads and ensure that only authorized users can modify files served by FrankenPHP.
- Monitor FrankenPHP logs for suspicious activity.
Evidence notes
The CVE-2026-45062 vulnerability was patched in FrankenPHP version 1.12.3. Users can find more information on the official FrankenPHP GitHub page [ref-5](https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm).
Official resources
CVE-2026-45062 was published on 2026-06-10T18:16:57.077Z and modified on 2026-06-11T14:16:28.110Z.