Skip to main content

Phalcon Framework CVE-2026-57584

| EUVDEUVD-2026-43098 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-07-10 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated low-complexity request hits the default router on every request (AV:N/AC:L/PR:N/UI:N); impact is pure availability via CPU exhaustion, so C:N/I:N/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:50 vuln.today

DescriptionCVE.org

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.

AnalysisAI

Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Phalcon app
Delivery
Craft URI with repeated slashes and decoded newlines
Exploit
Send request to trigger PCRE backtracking
Execution
Router::handle() consumes worker CPU
Persist
Repeat to exhaust worker pool
Impact
Service denial

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Phalcon MVC applications, since the vulnerable built-in route is registered automatically by the default router and Router::handle() evaluates it on every request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H) is internally consistent with the description: a remote, unauthenticated, low-complexity request against the default configuration produces a high availability impact and no confidentiality or integrity impact - a pure denial-of-service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing site running a Phalcon MVC application and sends HTTP requests whose URI contains many repeated slashes followed by decoded newline characters, forcing the router's PCRE engine into catastrophic backtracking. Each request pins a worker at high CPU, and by issuing a modest stream of such requests the attacker exhausts the available PHP-FPM workers and renders the site unresponsive. …
Remediation Vendor-released patch: upgrade cphalcon to version 5.15.0 or later, which rewrites the vulnerable route pattern to remove the nested quantifier (fix commits 14ba22d389d5ca620bb9d5207205f836ef1224f2 and fa798e919cb2c487062bb9899ad6fc2b673b3a67; advisory GHSA-x7rj-f32v-7jjg at https://github.com/phalcon/cphalcon/security/advisories/GHSA-x7rj-f32v-7jjg). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Phalcon PHP deployments and confirm versions; implement WAF rules blocking URIs with consecutive slashes and encoded newline characters; enable request rate limiting at load balancer. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-57584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy