CVE-2026-42548 Overview
CVE-2026-42548 is a reflected cross-site scripting (XSS) vulnerability in Flight, an extensible micro-framework for PHP. The flaw affects all versions prior to 3.18.1 and resides in the Flight::jsonp() method. The method concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can execute arbitrary JavaScript in the context of the vulnerable application, enabling session hijacking, credential theft, and unauthorized actions on behalf of victims.
Affected Products
- Flight PHP micro-framework versions prior to 3.18.1
- Applications using Flight::jsonp() with user-controlled query parameters
- The flightphp/core package distributed through Composer
Discovery Timeline
- 2026-05-13 - CVE-2026-42548 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42548
Vulnerability Analysis
The vulnerability exists in the Flight::jsonp() helper, which produces JSONP responses by wrapping a JSON payload inside a JavaScript function call. The function name is taken from the jsonp query string parameter and concatenated directly into the response body. The framework returns this body with the application/javascript content type, so any injected JavaScript executes when a victim's browser fetches the URL.
Because the response originates from the application's own domain, injected scripts run within that origin. Attackers can read cookies that are not flagged HttpOnly, exfiltrate session tokens, perform requests on behalf of the victim, and modify rendered content. The flaw is exploitable over the network and requires only that a victim be lured into clicking a crafted link.
Root Cause
The root cause is missing input validation. Flight::jsonp() does not verify that the supplied callback value matches the grammar for a valid JavaScript identifier, which would restrict it to characters such as [A-Za-z_$][A-Za-z0-9_$]*. Without that check, characters including parentheses, semicolons, angle brackets, and arbitrary script payloads are embedded verbatim into executable JavaScript.
Attack Vector
Exploitation requires user interaction. An attacker crafts a URL pointing to an endpoint that calls Flight::jsonp() and replaces the legitimate callback name with a malicious JavaScript payload. When the victim visits the URL, the browser executes the attacker's code in the application's origin. Phishing emails, malicious advertisements, or attacker-controlled pages can deliver the link.
No authentication is required to trigger the vulnerable response. The attack chain is consistent with classic reflected XSS through JSONP callbacks. Refer to the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-42548
Indicators of Compromise
- Web server access logs containing jsonp= query parameters with characters outside the JavaScript identifier set, such as (, ), ;, <, or >.
- Requests with unusually long jsonp values or URL-encoded payloads resembling alert(, document.cookie, or fetch(.
- Referrer headers from attacker-controlled domains pointing to endpoints that invoke Flight::jsonp().
Detection Strategies
- Static code review for any call to Flight::jsonp() to confirm the application is on 3.18.1 or later.
- Web application firewall (WAF) rules that inspect the jsonp query parameter and reject values not matching ^[A-Za-z_$][A-Za-z0-9_$]*$.
- Runtime application self-protection (RASP) hooks that flag JSONP responses containing scripting metacharacters.
Monitoring Recommendations
- Alert on spikes of application/javascript responses correlated with jsonp query parameters.
- Monitor browser-side Content Security Policy (CSP) violation reports for inline script execution from the application origin.
- Centralize web server, WAF, and application logs for retroactive hunting against the IOC patterns above.
How to Mitigate CVE-2026-42548
Immediate Actions Required
- Upgrade flightphp/core to version 3.18.1 or later using Composer.
- Audit application routes that invoke Flight::jsonp() and confirm callback parameters are validated.
- Rotate session identifiers and API tokens that may have been exposed if exploitation is suspected.
Patch Information
The maintainers fixed the issue in Flight 3.18.1 by validating that the jsonp callback value is a legal JavaScript identifier before including it in the response. Details are published in the GitHub Security Advisory GHSA-fcx8-ph5r-mxr4.
Workarounds
- Disable JSONP endpoints if the application does not require cross-origin script callbacks.
- Enforce strict server-side validation of the jsonp parameter against an allowlist regex matching JavaScript identifiers.
- Deploy a Content Security Policy that restricts script execution to known sources to reduce impact of injected payloads.
# Update Flight to the patched release
composer require flightphp/core:^3.18.1
composer update flightphp/core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
