CVE-2026-24894
HIGH 7.5FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
Affected Applications in Environment
12
php
v2:8.4+101~+ubuntu24.04.1+deb.sury.org+1
8 devices
php
v2:8.4+100~+ubuntu24.04.1+deb.sury.org+1
1 device
php
v5.4.16-48.el7
1 device
php
v2:7.4+75
3 devices
php
v2:8.4+101~+ubuntu22.04.1+deb.sury.org+1
1 device
php
v2:8.2+93
1 device
php
v1:7.0+35ubuntu6.1
1 device
php
v2:8.4+96+ubuntu20.04.1+deb.sury.org+1
1 device
php
v2:8.4+100~+ubuntu22.04.1+deb.sury.org+1
1 device
php
v2:8.1+92ubuntu1
1 device
php
v2:8.3+93ubuntu2
5 devices
php
v1:7.2+60ubuntu1
1 device
Affected Devices
25
aggietower
Linux
ah-ots
Linux
cceredcapweb
Linux
guru.cluster
Linux
kena-utility
Linux
my1
Linux
mysql02
Linux
privatebin
Linux
rcbd
Linux
rcdb-dev
Linux
redcapweb
Linux
sys-serv-l-301-data
Linux
web04a
Linux
web06
Linux
web08.usu.edu
Linux
web11.usu.edu
Linux
web13.usu.edu
Linux
web14.usu.edu
Linux
web20
Linux
web22
Linux
web28
Linux
web29.usu.edu
Linux
web30.usu.edu
Linux
web37.usu.edu
Linux
webs.usu.edu
Linux