CVE-2026-24894

Sažetak

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

Reference

https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735
https://github.com/php/frankenphp/releases/tag/v1.11.2
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

13-02-2026 - 14:23

Objavljeno

12-02-2026 - 20:16