CVE-2026-41570
Description
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | phpunit/phpunit | >=12.5.21,<12.5.22 | 12.5.22 |
| Packagist | phpunit/phpunit | >=13.1.5,<13.1.6 | 13.1.6 |
| COMPOSER | phpunit/phpunit | = 13.1.5 | 13.1.6 |
| COMPOSER | phpunit/phpunit | = 12.5.21 | 12.5.22 |
References
- https://github.com/sebastianbergmann/phpunit/pull/6592
- https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243
- https://security-tracker.debian.org/tracker/CVE-2026-41570
- https://nvd.nist.gov/vuln/detail/CVE-2026-41570
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-41570.yaml
- https://github.com/sebastianbergmann/phpunit
- https://github.com/advisories/GHSA-qrr6-mg7r-m243
CWEs
CWE-88 CWE-93
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.