CVE-2026-42552

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.

Vulnerability Details

Published Date

May 06, 2026

Last Modified

May 15, 2026

CWE ID

CWE-209

Source

GitHub

Vendor

composer

Product

flightphp/core

External References

https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85
https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
https://github.com/flightphp/core/releases/tag/v3.18.1
https://github.com/advisories/GHSA-qrch-52m5-vv85

CVE-2026-42552

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment