Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
The National Vulnerability Database has disclosed CVE-2026-42551, a high-severity vulnerability (CVSS 7.5) in the Flight extensible micro-framework for PHP. Versions prior to 3.18.1 are affected. The core issue lies in Request::getMethod() unconditionally honoring the X-HTTP-Method-Override header and the _method parameter, even on safe HTTP verbs like GET.
This design flaw means a standard GET request can be silently escalated to a destructive DELETE or PUT operation. The implications are significant: it enables Cross-Site Request Forgery (CSRF) against critical endpoints, allows attackers to bypass middleware designed to gate unsafe verbs, and facilitates cache poisoning between Content Delivery Networks (CDNs) and origin servers. Defenders need to understand that this isn’t a theoretical concern; it’s a practical attack vector for unauthorized data manipulation and service disruption.
The fix is available in Flight version 3.18.1. Organizations using the Flight PHP framework must prioritize this update. Ignoring it leaves an open door for adversaries to exploit fundamental web application logic, potentially leading to data integrity issues or service availability problems.
What This Means For You
- If your applications leverage the Flight PHP framework, you are exposed to CVE-2026-42551. Immediately identify all deployments running Flight versions older than 3.18.1 and patch them. Audit your application logs for any unusual method override requests, particularly those on GET endpoints that resulted in non-GET behavior.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42551: Flight PHP Framework CSRF via Method Override
title: CVE-2026-42551: Flight PHP Framework CSRF via Method Override
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects GET requests that also contain a '_method=' parameter, which is a strong indicator of an attempt to exploit CVE-2026-42551. This vulnerability allows attackers to perform CSRF attacks by forcing a GET request to be treated as a destructive method (e.g., DELETE, PUT) by including the '_method' parameter, bypassing intended security controls.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42551/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method:
- 'GET'
cs-uri-query|contains:
- '_method='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42551 | CSRF | Flight PHP micro-framework versions prior to 3.18.1 |
| CVE-2026-42551 | Auth Bypass | Flight PHP micro-framework Request::getMethod() unconditionally honors X-HTTP-Method-Override header |
| CVE-2026-42551 | Auth Bypass | Flight PHP micro-framework Request::getMethod() unconditionally honors $_REQUEST['_method'] parameter |
| CVE-2026-42551 | Cache Poisoning | Flight PHP micro-framework versions prior to 3.18.1 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection
CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...
CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution
CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...
Quark Drive Mass Assignment Flaw Grants Admin Takeover
CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...