Cyber Resilience

CVE-2026-42551

High

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 1.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42551 is a high-severity Interpretation Conflict (CWE-436) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods.…

more

A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Method override vuln in public PHP web framework directly enables exploitation of exposed application endpoints via tampered HTTP verbs.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33807Shared CWE-436
CVE-2026-33808Shared CWE-436
CVE-2026-6270Shared CWE-436
CVE-2026-33804Shared CWE-436
CVE-2026-25223Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-6322Shared CWE-436
CVE-2026-27444Shared CWE-436
CVE-2026-40165Shared CWE-436
CVE-2025-25292Shared CWE-436

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References