CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
The National Vulnerability Database has detailed CVE-2026-42552, a high-severity vulnerability in the Flight extensible micro-framework for PHP. Prior to version 3.18.1, the framework’s default error handler, Engine::_error(), inadvertently exposes sensitive server information. This includes full exception messages, exception codes, and complete stack traces, crucially revealing absolute filesystem paths directly within HTTP 500 responses.
This isn’t just a debug nuisance; it’s a critical information leak. Production deployments running vulnerable versions are broadcasting internal paths, potentially exposing secrets embedded in exception messages, and detailing their full module structure. This data provides attackers with foundational primitives, enabling them to chain other weaknesses like Local File Inclusion (LFI) or path traversal vulnerabilities. The National Vulnerability Database rates this with a CVSS score of 7.5 (HIGH), underscoring the severity of this information disclosure.
Defenders need to understand the attacker’s calculus here: information leaks are reconnaissance gold. Knowing internal paths and module structures drastically reduces the guesswork in exploit development. While the National Vulnerability Database does not specify affected products beyond the Flight framework itself, any application leveraging Flight prior to version 3.18.1 is at risk. The fix is straightforward: upgrade to Flight 3.18.1 immediately to mitigate this exposure.
What This Means For You
- If your organization uses the Flight PHP framework, you need to verify its version immediately. This isn't theoretical; CVE-2026-42552 hands attackers a roadmap to your server's internals. Patch to Flight 3.18.1 without delay to prevent critical information disclosure that can lead to further exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42552: Flight PHP Framework Default Error Handler Information Leak
title: CVE-2026-42552: Flight PHP Framework Default Error Handler Information Leak
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects HTTP 500 errors that are likely caused by the Flight PHP framework's default error handler (Engine::_error()) leaking sensitive information. This occurs when the framework's error handler outputs full exception messages, codes, and stack traces, including absolute filesystem paths, directly into the response without debug gating. This leak provides attackers with internal paths and module structures, aiding in further exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42552/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
sc-status:
- 500
uri|contains:
- '/vendor/flightphp/flight/src/Flight.php'
# This is a heuristic, the exact path might vary based on installation.
# The key is the presence of the Flight PHP framework code in the error response.
# The actual response body is not logged by default in many webservers,
# so we rely on status code and URI as indicators.
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42552 | Information Disclosure | Flight PHP micro-framework versions prior to 3.18.1 |
| CVE-2026-42552 | Information Disclosure | Vulnerable component: Engine::_error() default error handler |
| CVE-2026-42552 | Information Disclosure | Leaking internal paths, secret exception messages, and module structure in HTTP 500 responses |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection
CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...
CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution
CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...
Quark Drive Mass Assignment Flaw Grants Admin Takeover
CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...