CVE-2026-42549: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in flightphp core
FlightPHP core versions prior to 3. 18. 1 contain a path traversal vulnerability in the make:controller CLI command. This command creates directories recursively based on a user-supplied controller name before validating the class name, allowing directory creation outside the intended project root via '.. /' sequences. Although the class file write is blocked by validation, the directory creation side effect remains. This issue is fixed in version 3. 18. 1.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-42549) exists in FlightPHP core before version 3.18.1. The make:controller CLI command uses mkdir with recursive directory creation on a path derived from user input without prior validation. While Nette's class-name validation prevents writing class files with invalid names containing '/', the recursive directory creation occurs beforehand, enabling attackers to create directories outside the project root through path traversal sequences like '../'. This improper limitation of pathname to a restricted directory (CWE-22) can lead to unintended directory creation, potentially impacting system availability or integrity. The vulnerability has a CVSS 3.1 score of 4.4 (medium severity) and is fixed in FlightPHP 3.18.1.
Potential Impact
The vulnerability allows an attacker with local privileges to cause recursive directory creation outside the intended project directory by supplying crafted controller names with path traversal sequences. This can lead to unintended directory structures on the filesystem, potentially causing denial of service or interference with system operations. There is no direct confidentiality impact, and the class file write is blocked by validation. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade FlightPHP core to version 3.18.1 or later, where this vulnerability is fixed. Since the issue is resolved in this version, no additional mitigation steps are required.
CVE-2026-42549: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in flightphp core
Description
FlightPHP core versions prior to 3. 18. 1 contain a path traversal vulnerability in the make:controller CLI command. This command creates directories recursively based on a user-supplied controller name before validating the class name, allowing directory creation outside the intended project root via '.. /' sequences. Although the class file write is blocked by validation, the directory creation side effect remains. This issue is fixed in version 3. 18. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-42549) exists in FlightPHP core before version 3.18.1. The make:controller CLI command uses mkdir with recursive directory creation on a path derived from user input without prior validation. While Nette's class-name validation prevents writing class files with invalid names containing '/', the recursive directory creation occurs beforehand, enabling attackers to create directories outside the project root through path traversal sequences like '../'. This improper limitation of pathname to a restricted directory (CWE-22) can lead to unintended directory creation, potentially impacting system availability or integrity. The vulnerability has a CVSS 3.1 score of 4.4 (medium severity) and is fixed in FlightPHP 3.18.1.
Potential Impact
The vulnerability allows an attacker with local privileges to cause recursive directory creation outside the intended project directory by supplying crafted controller names with path traversal sequences. This can lead to unintended directory structures on the filesystem, potentially causing denial of service or interference with system operations. There is no direct confidentiality impact, and the class file write is blocked by validation. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade FlightPHP core to version 3.18.1 or later, where this vulnerability is fixed. Since the issue is resolved in this version, no additional mitigation steps are required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T16:56:50.191Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04d644cbff5d861003f1f5
Added to database: 5/13/2026, 7:51:32 PM
Last enriched: 5/13/2026, 8:07:14 PM
Last updated: 5/14/2026, 1:42:08 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.