CVE-2026-57584 is a high-severity vulnerability in the Phalcon PHP framework. The vulnerability occurs in the Phalcon MVC application's default router, which registers a built-in route with a compiled PCRE pattern containing a nested quantifier (/.). This pattern can be exploited by a crafted path to trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. The issue is fixed i [truncated]
The Phalcon framework's Crypt::decrypt method is vulnerable to a timing attack. An attacker can exploit this vulnerability to recover a valid HMAC tag byte-by-byte and attach it to a chosen IV and ciphertext, allowing decrypt() to accept tampered encrypted content as authentic. This issue affects Phalcon framework versions prior to 5.14.1. The vulnerability has a CVSS score of 8.2 and is classified as HIG [truncated]