This release fixes CVE-2026-45062 (high, CVSS 8.1): unsafe Unicode handling in CGI path splitting let an attacker have a non-.php file executed as PHP via a crafted URL, in any deployment where attacker-controlled file names land on the served filesystem. All users on v1.11.2 through v1.12.2 should upgrade.
It also brings a ~7-8% Hello World throughput bump from a refreshed PGO profile, configurable per-thread request limits, persistent-zval helpers for sharing state across threads, a cross-platform force-kill primitive for stuck PHP threads, correct SCRIPT_NAME / PHP_SELF / PATH_INFO server variables, and a long series of frankenphp extension-init (extgen) generator fixes by @alexandre-daubois.
Released binaries now carry SLSA build-provenance attestations — verify with gh attestation verify <binary> --owner php or gh attestation verify oci://docker.io/dunglas/frankenphp@sha256:... --owner php.
🔒 Security
- Unsafe Unicode handling in CGI path splitting allowed execution of non-PHP files (GHSA-3g8v-8r37-cgjm / CVE-2026-45062). Reported by @KC1zs4.
🚀 Features
- Configurable
max_requestsfor PHP threads by @nicolas-grekas in #2292 - Persistent-zval helpers (deep-copy zval trees across threads) by @nicolas-grekas in #2366
- Cross-platform force-kill primitive for stuck PHP threads by @nicolas-grekas in #2365
- Release binaries now ship with SLSA build-provenance attestations by @dunglas in #2418
🐛 Fixes
- Set
$_SERVERvariablesSCRIPT_NAME,PHP_SELF, andPATH_INFOcorrectly by @henderkes in #2317 - Fix dead forked
pthread_forkchildren by @henderkes in #2332 - Fix upstream BC break on
INI_INT()macro by @zeriyoshi in #2387 - Caddy: reject invalid
split_pathat provision time by @alexandre-daubois in #2350 extgenparser hardening by @alexandre-daubois: better error handling (#2370), emit warnings to stderr (#2374), resetiotaper const block (#2375), escape control chars in C string literals (#2377), extract Go function bodies viago/ast(#2379), symmetric Go type compatibility check (#2380)
⚡ Performance and Internal Improvements
- Use PGO to improve FrankenPHP's Go performance (7-8% Hello World throughput) by @henderkes in #2361
perf(extgen): hoist const block regexes out of parser loop by @alexandre-daubois in #2378refactor: adddrain()seam tothreadHandlerinterface by @nicolas-grekas in #2367refactor(extgen): share signature and parameter parsing helpers by @alexandre-daubois in #2376
📝 Documentation
- Improve worker docs, add internals docs by @dunglas in #2334
- Add SEO frontmatter,
llms.txt, and code-block hygiene by @dunglas in #2394 - Fix migration guide menu entry by @alexandre-daubois in #2373
- Adjust volume mount path in
migrate.mdby @francislavoie in #2337 - Fix Laravel trusted proxies URL by @mtmn in #2359
- Update wording in extensions documentation by @SpencerMalone in #2338
💖 New Contributors
- @zeriyoshi made their first contribution in #2387
- @mtmn made their first contribution in #2359
Need help adopting FrankenPHP, hardening a PHP application against issues like CVE-2026-45062, or squeezing more performance out of your workers? Les-Tilleuls.coop — the team behind FrankenPHP — provides professional support, consulting, custom development, and training. Get in touch: contact@les-tilleuls.coop.
Full Changelog: v1.12.2...v1.12.3