Search criteria
6 vulnerabilities by flightphp
CVE-2026-42552 (GCVE-0-2026-42552)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:24 – Updated: 2026-05-13 19:24
VLAI?
Title
Flight: Sensitive information disclosure via default error handler in flightphp/core
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.
Severity ?
7.5 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure \u2014 giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:24:15.132Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85"
}
],
"source": {
"advisory": "GHSA-qrch-52m5-vv85",
"discovery": "UNKNOWN"
},
"title": "Flight: Sensitive information disclosure via default error handler in flightphp/core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42552",
"datePublished": "2026-05-13T19:24:15.132Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-13T19:24:15.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42551 (GCVE-0-2026-42551)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:23 – Updated: 2026-05-13 19:23
VLAI?
Title
Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.
Severity ?
7.5 (High)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST[\u0027_method\u0027] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:23:27.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g"
}
],
"source": {
"advisory": "GHSA-vxrr-w42w-w76g",
"discovery": "UNKNOWN"
},
"title": "Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42551",
"datePublished": "2026-05-13T19:23:27.314Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-13T19:23:27.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42550 (GCVE-0-2026-42550)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:22 – Updated: 2026-05-13 19:22
VLAI?
Title
Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers \u2014 a common and documented pattern, e.g. $db-\u003einsert(\u0027users\u0027, $request-\u003edata-\u003egetData()) \u2014 an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:22:53.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr"
}
],
"source": {
"advisory": "GHSA-xwqr-rcqg-22mr",
"discovery": "UNKNOWN"
},
"title": "Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42550",
"datePublished": "2026-05-13T19:22:53.297Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-13T19:22:53.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42549 (GCVE-0-2026-42549)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:22 – Updated: 2026-05-13 19:22
VLAI?
Title
Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed — including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1.
Severity ?
4.4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette\u0027s class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed \u2014 including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:22:20.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q"
}
],
"source": {
"advisory": "GHSA-3xjv-pmf2-gf2q",
"discovery": "UNKNOWN"
},
"title": "Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42549",
"datePublished": "2026-05-13T19:22:20.932Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-13T19:22:20.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42548 (GCVE-0-2026-42548)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:21 – Updated: 2026-05-13 19:21
VLAI?
Title
Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:21:44.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4"
}
],
"source": {
"advisory": "GHSA-fcx8-ph5r-mxr4",
"discovery": "UNKNOWN"
},
"title": "Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42548",
"datePublished": "2026-05-13T19:21:44.125Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-13T19:21:44.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2014-125127 (GCVE-0-2014-125127)
Vulnerability from cvelistv5 – Published: 2025-09-03 08:35 – Updated: 2025-09-03 13:20
VLAI?
Title
Denial of Service (DoS) vulnerability in mikecao/flight
Summary
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2014-125127",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:20:02.762521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T13:20:06.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org",
"defaultStatus": "unaffected",
"packageName": "mikecao/flight",
"product": "core",
"programFiles": [
"flight/net/Request.php"
],
"repo": "https://github.com/flightphp/core",
"vendor": "flightphp",
"versions": [
{
"lessThanOrEqual": "v1.1.10",
"status": "affected",
"version": "v1.0",
"versionType": "php"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T08:35:05.988Z",
"orgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647",
"shortName": "Checkmarx"
},
"references": [
{
"url": "https://github.com/mikecao/flight/pull/125"
},
{
"url": "https://github.com/mikecao/flight/commit/da40e03eb4a39745107912dffe926a8fce0d38dc"
},
{
"url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of Service (DoS) vulnerability in mikecao/flight",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647",
"assignerShortName": "Checkmarx",
"cveId": "CVE-2014-125127",
"datePublished": "2025-09-03T08:35:05.988Z",
"dateReserved": "2025-08-27T09:12:29.906Z",
"dateUpdated": "2025-09-03T13:20:06.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}