CVE-2026-42552

Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Flight < 3.18.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC for CVE-2026-42552: Information Disclosure in Flight Framework
// This script demonstrates how triggering an error reveals sensitive paths.

require 'vendor/autoload.php';

use flight\Engine;

$app = new Engine();

// Route designed to trigger an error with sensitive info
$app->route('/GET /test', function(){
    // Simulating a logic error that exposes a secret
    throw new Exception("Database Connection Failed: host=db.internal user=root pass=secret123");
});

$app->start();

// Expected Result:
// The HTTP response will contain a stack trace showing the absolute path 
// to this script (e.g., /var/www/html/index.php) and the secret password.
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42552
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42552
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42552/
[4] VulDB https://vuldb.com/cve/CVE-2026-42552
[5] https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42552", "sourceIdentifier": "[email protected]", "published": "2026-05-13T20:16:22.323", "lastModified": "2026-05-14T16:51:08.300", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-209"}]}], "references": [{"url": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85", "source": "[email protected]"}]}}