Skip to main content

FlightPHP Core CVE-2026-42552

HIGH
Error Message Information Leak (CWE-209)
2026-05-06 https://github.com/flightphp/core GHSA-qrch-52m5-vv85
PHP Information Disclosure Path Traversal
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 22:39 vuln.today
Analysis Generated
May 06, 2026 - 22:39 vuln.today
CVE Published
May 06, 2026 - 21:39 nvd
HIGH 7.5

DescriptionNVD

Summary

The default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure - giving attackers primitives for chaining other weaknesses (LFI, path traversal).

Affected code

flight/Engine.php (≈ lines 678-704):

php
public function _error(Throwable $e): void
{
    ...
    $msg = sprintf(<<<'HTML'
        <h1>500 Internal Server Error</h1>
            <h3>%s (%s)</h3>
            <pre>%s</pre>
        HTML,
        $e->getMessage(),
        $e->getCode(),
        $e->getTraceAsString()
    );
    $this->response()->cache(0)->clearBody()->status(500)->write($msg)->send();
}

No flight.debug check, no environment gating.

Proof of concept

Any uncaught exception - including those auto-raised from handleError() - returns:

HTTP/1.1 500 Internal Server Error

<h1>500 Internal Server Error</h1>
  <h3>secret path /var/www/config/db.yml; token=LEAKED123 (0)</h3>
  <pre>#0 [internal function]: {closure}()
  #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)...
  #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...)
  ...
  </pre>

Reproduced against the live PoC app at /poc5/error.

Impact

  • Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application).
  • Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values.
  • Enumeration of installed vendor packages and internal application structure.

Patch (fixed in 3.18.1, commit b8dd23a)

A new flight.debug setting (default false) gates the verbose output. In production the handler now emits only <h1>500 Internal Server Error</h1>. Developers can set flight.debug = true in local environments to restore the full trace output.

Credit

Discovered by @Rootingg.

AnalysisAI

FlightPHP Core's default error handler exposes full exception messages, stack traces, and absolute filesystem paths in HTTP 500 responses without any debug-mode gating. All versions before 3.18.1 leak internal application structure, vendor package names, and any secrets interpolated into exception messages to unauthenticated remote attackers. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all FlightPHP Core deployments and identify current versions running versions prior to 3.18.1. Within 7 days: Apply vendor patch to FlightPHP 3.18.1 or later across all affected systems and verify flight.debug setting is set to false in production configuration. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42552 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy