CVE-2026-42552 HIGH

CVE-2026-42552: Flight: Sensitive information disclosure via default error handler in flightphp/core

Vendor Flightphp

Product core

Weakness CWE-209 · Error message info leak

Published May 13, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.

Key dates

Disclosure timeline

May 13, 2026 CVE published

May 15, 2026 Record updated