Is github.com/dunglas/frankenphp affected by CVE-2026-24895?

Go github.com/dunglas/frankenphp is affected in <1.11.2.

Is CVE-2026-24895 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

medium

CVE-2026-24895

Q: Is CVE-2026-24895 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

Go · github.com/dunglas/frankenphp

Summary

FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP in github.com/dunglas/frankenphp

Severity: medium
EPSS: 0.6% (p43)
Also known as: GHSA-g966-83w7-6w38, GO-2026-4486
Published: 2026-02-17

References

https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38
https://nvd.nist.gov/vuln/detail/CVE-2026-24895
https://github.com/php/frankenphp/commit/04fdc0c1e8fde94e2c1ad86217e962c88d27c53e

Related advisories

CVE-2026-45062 — high · Go/github.com/dunglas/frankenphp
CVE-2026-24894 — medium · Go/github.com/dunglas/frankenphp
GHSA-x9p2-77v6-6vhf — medium · Go/github.com/dunglas/frankenphp

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.