CVE-2026-41570

HIGH EPSS 9.0%
Published May 8, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
9.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-88
CWE-93

Affected Products 2

VendorProductVersionRange
phpunit_projectphpunit12.5.21any
phpunit_projectphpunit13.1.5any

References 2

  • github.com https://github.com/sebastianbergmann/phpunit/pull/6592
    Issue TrackingPatch
  • github.com https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/sebastianbergmann/phpunit/pull/6592
    Issue TrackingPatch
  • github.com https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243
    MitigationPatchVendor Advisory