FrankenPHP v1.11.2 Released With 30% Faster CGO, 40% Faster GC, and Security Patches

Published on February 13th, 2026 by Eric L. Barnes

FrankenPHP has released v1.11.2, and it is a high priority upgrade. The release addresses three security vulnerabilities, including a critical path confusion issue that could allow arbitrary file execution, plus a session leak between requests in worker mode.

Beyond security, this release delivers significant performance improvements by upgrading the compiler to Go 1.26. Users can expect a 10-40% faster Garbage Collector and ~30% faster CGO calls, resulting in significantly reduced latency for PHP applications.

You can see the full release notes and here are some highlights:

Security fixes (upgrade strongly recommended)

GHSA-g966-83w7-6w38: Fixes Unicode casing path confusion in CGI path splitting that could lead to arbitrary file execution.
GHSA-r3xh-3r3w-47gp: Fixes a session leak between requests handled by workers.
GHSA-x9p2-77v6-6vhf: Fixes delayed propagation of security fixes in upstream base Docker images.

If you run FrankenPHP in production, especially with worker mode enabled or in environments where users can influence request paths or uploads, upgrading should be at the top of your list.

Performance improvements

FrankenPHP v1.11.2 upgrades the compiler toolchain to Go 1.26. The maintainers call out:

10–40% faster garbage collector
~30% faster CGO calls

Alongside “various internal optimizations,” this can reduce latency and smooth out tail response times under load.

Notable fixes and stability improvements

This release also includes a pile of bug fixes and stability work, including:

Ensuring $_SERVER['PHP_SELF'] always starts with a slash
Letting PHP handle HTTP Basic Auth headers natively
Fixes for symlink edge cases
Fixes for race conditions during shutdown and “drain”
Multiple segmentation fault fixes in edge cases
Worker mode improvements like initializing $_REQUEST correctly and resetting INI settings and $_SESSION when changed during a request