CVE-2026-24895

CriticalPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24895 is a critical-severity Incorrect Behavior Order: Validate Before Canonicalize (CWE-180) vulnerability in Php Frankenphp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the Unicode path splitting flaw by applying the vendor patch released in FrankenPHP 1.11.2.

SI-10 Information Input Validation good match

prevent

Validates incoming request URIs for well-formed Unicode characters and path integrity to block malformed inputs that trigger byte misalignment during case conversion.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection via web application firewalls to filter and block crafted URIs exploiting the CGI path resolution vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes a remote unauthenticated RCE vulnerability in the public-facing FrankenPHP web server caused by Unicode mishandling in CGI path logic, allowing attackers to force execution of unintended PHP files; this directly maps to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path…

but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

Deeper analysisAI

CVE-2026-24895 affects FrankenPHP, a modern application server for PHP, in versions prior to 1.11.2. The vulnerability stems from improper handling of Unicode characters in the CGI path splitting logic during case conversion. Specifically, the logic calculates the split index for locating ".php" on a lowercased copy of the request path but applies that byte index to the original path. Go's strings.ToLower() function can increase the byte length of certain UTF-8 characters, such as Ⱥ when lowercased, causing the index to misalign with the original string's position. This results in incorrect SCRIPT_NAME and SCRIPT_FILENAME values, potentially leading FrankenPHP to execute a file other than the one specified in the URI. The issue is classified under CWE-180 (Incorrect Behavior Order: Early Validation) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction by crafting a request URI containing specific Unicode characters. By triggering the byte length mismatch, attackers can manipulate the path resolution to execute an unintended PHP file, enabling arbitrary code execution, data disclosure, or other impacts depending on the server's file structure and permissions. The high confidentiality, integrity, and availability impacts reflect the potential for full server compromise if exploitable files are present.

The vulnerability is fixed in FrankenPHP version 1.11.2. The official security advisory (GHSA-g966-83w7-6w38), release notes, and fixing commit (04fdc0c1e8fde94e2c1ad86217e962c88d27c53e) on the FrankenPHP GitHub repository detail the patch, which addresses the Unicode handling in path splitting. Security practitioners should upgrade to 1.11.2 or later and review server configurations for exposed PHP endpoints.

Details

CWE(s): CWE-180

Affected Products

php

frankenphp

≤ 1.11.2

CVEs Like This One

CVE-2026-24894Same product: Php Frankenphp

CVE-2025-1736Same vendor: Php

CVE-2026-34475Shared CWE-180

CVE-2026-27590Shared CWE-180

CVE-2026-39364Shared CWE-180

CVE-2025-1861Same vendor: Php

CVE-2022-31631Same vendor: Php

References

https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e
Patch · security-advisories@github.com
https://github.com/php/frankenphp/releases/tag/v1.11.2
Release Notes · security-advisories@github.com
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38
Vendor Advisory, Exploit · security-advisories@github.com