CVE-2026-24895 affects FrankenPHP, a modern PHP application server, due to an incorrect behavior order vulnerability classified under CWE-180: Validate Before Canonicalize. The flaw arises in the CGI path splitting logic where the server attempts to locate the '.php' extension by computing the split index on a lowercased version of the request path. However, the lowercasing operation in Go can increase the byte length of certain Unicode characters (for example, the character Ⱥ expands when lowercased), causing the computed index to be misaligned when applied to the original, unmodified path string. This misalignment leads to incorrect assignment of SCRIPT_NAME and SCRIPT_FILENAME environment variables, which are critical in determining which PHP script is executed. As a result, FrankenPHP may execute a file different from the one intended by the URI, potentially allowing attackers to execute arbitrary files or scripts. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The issue was addressed and fixed in FrankenPHP version 1.11.2. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the high severity score and nature of the flaw warrant immediate attention.

For European organizations, this vulnerability poses a significant risk to web applications running on FrankenPHP versions prior to 1.11.2. Exploitation can lead to unauthorized execution of arbitrary files, potentially resulting in data breaches, unauthorized access, defacement, or service disruption. Confidentiality is at risk as attackers may access sensitive data by executing unintended scripts. Integrity can be compromised through unauthorized code execution or modification of application behavior. Availability may be affected if critical scripts are bypassed or replaced, causing denial of service. Given the vulnerability requires no authentication or user interaction, attackers can exploit it remotely, increasing the threat surface. Organizations relying on FrankenPHP for public-facing web services or internal applications must consider this vulnerability critical. The absence of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score underscores the urgency. Failure to patch may lead to targeted attacks, especially in sectors with high-value data or critical infrastructure.

1. Upgrade FrankenPHP to version 1.11.2 or later immediately to apply the official fix addressing the Unicode path handling flaw. 2. Conduct a thorough audit of web server configurations to ensure no legacy or fallback mechanisms allow execution of unintended files. 3. Implement strict input validation and normalization on URI paths before processing to detect and block suspicious Unicode or malformed requests. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect anomalous path requests that may exploit this vulnerability. 5. Monitor server logs for irregular SCRIPT_NAME or SCRIPT_FILENAME assignments and unexpected script executions, enabling early detection of exploitation attempts. 6. Isolate critical web applications in segmented network zones to limit lateral movement if exploitation occurs. 7. Educate development and operations teams about the risks of improper canonicalization and encourage secure coding practices for handling Unicode inputs. 8. Maintain an incident response plan tailored to web server compromises to respond swiftly if exploitation is detected.