CVE-2026-57584

Source
https://cve.org/CVERecord?id=CVE-2026-57584
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57584.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57584
Aliases
  • GHSA-x7rj-f32v-7jjg
Published
2026-07-10T21:04:26.946Z
Modified
2026-07-16T03:48:41.398623687Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS
Details

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57584.json",
    "cwe_ids": [
        "CWE-1333"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/phalcon/cphalcon

Affected ranges

Type
GIT
Repo
https://github.com/phalcon/cphalcon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.15.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

5.*
5.0.0alpha3
5.12.0
phalcon-v0.*
phalcon-v0.7.0
phalcon-v0.9.0
phalcon-v1.*
phalcon-v1.0.0
phalcon-v1.0.1
phalcon-v1.1.0
phalcon-v1.2.0
phalcon-v1.3.0
phalcon-v1.3.1
phalcon-v1.3.2
phalcon-v1.3.3
phalcon-v1.3.4
phalcon-v2.*
phalcon-v2.0.0
phalcon-v2.0.1
phalcon-v2.0.10
phalcon-v2.0.11
phalcon-v2.0.13
phalcon-v2.0.2
phalcon-v2.0.3
phalcon-v2.0.4
phalcon-v2.0.5
phalcon-v2.0.6
phalcon-v2.0.7
phalcon-v2.0.8
phalcon-v2.0.9
v0.*
v0.7.0
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v4.*
v4.0.0
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.1.0
v5.*
v5.0.0
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0RC4
v5.0.0alpha3
v5.0.0alpha4
v5.0.0alpha5
v5.0.0alpha6
v5.0.0alpha7
v5.0.0beta1
v5.0.0beta2
v5.0.0beta3
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.10.0
v5.11.0
v5.11.1
v5.12.1
v5.13.0
v5.14.0
v5.14.1
v5.14.2
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.7.0
v5.8.0
v5.9.0
v5.9.1
v5.9.2
v5.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57584.json"