What is the CVSS score of CVE-2026-24895?

CVE-2026-24895 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-24895?

FrankenPHP versions prior to 1.11.2 contain a critical vulnerability enabling remote code execution through improper Unicode handling in path processing.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24895?

Yes, a public proof-of-concept exploit is available for CVE-2026-24895. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-24895?

Within 24 hours: Identify all systems running FrankenPHP and document versions; isolate or restrict external access to affected instances. Within 7 days: Apply vendor patch to upgrade FrankenPHP to version 1.11.2 or later across all production and non-production environments. Within 30 days: Conduct security audit of patched systems and review access logs for exploitation attempts during the vulnerability window.

PHP CVE-2026-24895

CRITICAL

Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)

2026-02-12 security-advisories@github.com

GHSA-g966-83w7-6w38

PHP Golang Frankenphp Suse

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

PoC Detected

Feb 20, 2026 - 18:30 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 18:30 nvd

Patch available

CVE Published

Feb 12, 2026 - 20:16 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

AnalysisAI

CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with Unicode character in path

Exploit

CGI path splitting computes incorrect byte index

Execution

SCRIPT_NAME/SCRIPT_FILENAME misaligned

Impact

Execute arbitrary PHP code

Access

Craft HTTP request with Unicode character in path

Exploit

CGI path splitting computes incorrect byte index

Execution

SCRIPT_NAME/SCRIPT_FILENAME misaligned

Impact

Execute arbitrary PHP code

Vulnerability AssessmentAI

Exploitation	FrankenPHP versions prior to 1.11.2 with default CGI path splitting enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker uses Unicode characters in URL to bypass path validation, accessing restricted PHP files.
Remediation	Update to FrankenPHP 1.11.2. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running FrankenPHP and document versions; isolate or restrict external access to affected instances. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-24895 vulnerability details – vuln.today

Back

PHP CVE-2026-24895

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code