Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-24894

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Feb, 2026 | 19:12
Updated At-12 Feb, 2026 | 20:04
Rejected At-
Credits

FrankenPHP leaks session data between requests in worker mode

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Feb, 2026 | 19:12
Updated At:12 Feb, 2026 | 20:04
Rejected At:
▼CVE Numbering Authority (CNA)
FrankenPHP leaks session data between requests in worker mode

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

Affected Products
Vendor
The PHP Groupphp
Product
frankenphp
Versions
Affected
  • < 1.11.2
Problem Types
TypeCWE IDDescription
CWECWE-269CWE-269: Improper Privilege Management
CWECWE-384CWE-384: Session Fixation
CWECWE-613CWE-613: Insufficient Session Expiration
Type: CWE
CWE ID: CWE-269
Description: CWE-269: Improper Privilege Management
Type: CWE
CWE ID: CWE-384
Description: CWE-384: Session Fixation
Type: CWE
CWE ID: CWE-613
Description: CWE-613: Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp
x_refsource_CONFIRM
https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735
x_refsource_MISC
https://github.com/php/frankenphp/releases/tag/v1.11.2
x_refsource_MISC
Hyperlink: https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735
Resource:
x_refsource_MISC
Hyperlink: https://github.com/php/frankenphp/releases/tag/v1.11.2
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Feb, 2026 | 20:16
Updated At:12 Feb, 2026 | 20:16

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-269Primarysecurity-advisories@github.com
CWE-384Primarysecurity-advisories@github.com
CWE-613Primarysecurity-advisories@github.com
CWE ID: CWE-269
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-384
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-613
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735security-advisories@github.com
N/A
https://github.com/php/frankenphp/releases/tag/v1.11.2security-advisories@github.com
N/A
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gpsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/php/frankenphp/releases/tag/v1.11.2
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2014-0185
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.2||HIGH
EPSS-0.11% / 29.33%
||
7 Day CHG~0.00%
Published-06 May, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.

Action-Not Available
Vendor-n/aThe PHP Group
Product-phpn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2017-12868
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.76% / 72.98%
||
7 Day CHG~0.00%
Published-01 Sep, 2017 | 13:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

Action-Not Available
Vendor-simplesamlphpn/aThe PHP Group
Product-simplesamlphpphpn/a
CWE ID-CWE-384
Session Fixation
CVE-2025-29924
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 17:31
Updated-30 Apr, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-863
Incorrect Authorization
Details not found