CVE-2026-42549
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(…, recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed — including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| flightphp | core | < 3.18.1 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.