FrankenPHP 1.12.4 – Security & Stability Hardening
FrankenPHP Releases · July 10, 2026
curated by Heiko
FrankenPHP 1.12.4 closes HTTP header spoofing via underscore collision, bundles Caddy 2.11.4 and Mercure 0.24.2 security patches, and fixes worker-mode crashes and data races. The CGI dash-to-underscore mapping allowed attackers to forge headers; Caddy now strips underscores at server layer. All users should upgrade immediately.
AI-generated summary (Heiko) · editorially responsible: J. Fuchs · How we use AI