GHSA-x9p2-77v6-6vhf: FrankenPHP has delayed propagation of security fixes in upstream base images

February 5, 2026

Vulnerability in base Docker images (PHP, Go, and Alpine) not automatically propagating to FrankenPHP images.

FrankenPHP’s container images were previously built only when specific version tags were updated or when manual triggers were initiated. This meant that if an upstream base image (such as Alpine Linux or official PHP/Go images) received a security patch under an existing tag, the FrankenPHP image would remain on the older, vulnerable version of those base layers.

References

github.com/advisories/GHSA-x9p2-77v6-6vhf
github.com/php/frankenphp
github.com/php/frankenphp/security/advisories/GHSA-x9p2-77v6-6vhf

Code Behaviors & Features

Detect and mitigate GHSA-x9p2-77v6-6vhf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →