SCA: security update for github.com/dunglas/frankenphp (GHSA-3g8v-8r37-cgjm)

high Tenable Self-Hosted Container Security Plugin ID 441990

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the
splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request
path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP
into treating a non-.php file as a .php script. In any deployment where the attacker can place content
into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code
execution by crafting a URL whose path triggers either flaw. This issue has been patched in version
1.12.3. (CVE-2026-45062)

Solution

Update the github.com/dunglas/frankenphp library and its related packages to version 1.12.3 or later.

See Also

https://github.com/advisories/GHSA-3g8v-8r37-cgjm

Plugin Details

Severity: High

ID: 441990

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 5/15/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.94

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45062

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/15/2026

Vulnerability Publication Date: 5/15/2026

Reference Information

CVE: CVE-2026-45062