Cyber Resilience

CVE-2026-42552

High

Published: 13 May 2026

Published
13 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 2.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42552 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production…

more

deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Error handler leaks absolute paths, stack traces and structure on HTTP 500, directly enabling System/File-Directory Discovery (T1082/T1083) and aiding Exploit Public-Facing App (T1190) for LFI/path traversal chaining.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71282Shared CWE-209
CVE-2025-47813Shared CWE-209
CVE-2025-46658Shared CWE-209
CVE-2023-38010Shared CWE-209
CVE-2026-43873Shared CWE-209
CVE-2026-22646Shared CWE-209
CVE-2025-1395Shared CWE-209
CVE-2026-1175Shared CWE-209
CVE-2024-11625Shared CWE-209
CVE-2024-12380Shared CWE-209

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

addresses: CWE-209

Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.

References