Summary The splitPos() function in [cgi.go](https://github.com/php/frankenphp/blob/main/cgi.go) misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws…
| CVE ID | CVE-2026-45062 |
| Vendor | go |
| Affected Product | github.com/dunglas/frankenphp |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.1 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
splitPos() function in [cgi.go](https://github.com/php/frankenphp/blob/main/cgi.go) misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This advisory consolidates two independent reports against the same function (the duplicate, GHSA-v4h7-cj44-8fc8, has been closed). Both were reported by @KC1zs4.var splitSearchNonASCII = search.New(language.Und, search.IgnoreCa
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.