Critical Alert 3 Active Exploits Detected Today

CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability →
CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability →
CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-46420NVD

Vulnerability Summary

setup-php is a GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. From 2.25.0 prior to 2.37.1, shivammathur/setup-php resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and composer.json through config.platform.php, and insufficiently constrains those values before incorporating them into generated shell or PowerShell setup scripts, allowing command injection on a GitHub Actions runner when workflows such as pull_request_target check out attacker-controlled contents before invoking setup-php. This issue is fixed in version 2.37.1.
Severity Level
MEDIUM(5.6)
Published Date
Jul 17, 2026
Last Modified
Jul 17, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
1.58%Probability
Root Weakness (CWE)
The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityLow
IntegrityLow
AvailabilityLow