CVE-2026-42551

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.

Vulnerability Details

Published Date

May 06, 2026

Last Modified

May 14, 2026

CWE ID

CWE-436

Source

GitHub

Vendor

composer

Product

flightphp/core

External References

https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g
https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
https://github.com/flightphp/core/releases/tag/v3.18.1
https://github.com/advisories/GHSA-vxrr-w42w-w76g

CVE-2026-42551

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment