| Name | CVE-2026-41570 |
| Description | PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| phpunit (PTS) | bullseye | 9.5.2-1 | fixed |
| bullseye (security) | 9.5.2-1+deb11u1 | fixed | |
| bookworm | 9.6.7-1 | fixed | |
| trixie | 11.5.19-1+deb13u1 | fixed | |
| forky | 13.0.6-3 | fixed | |
| sid | 13.2.1+ds-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| phpunit | source | (unstable) | (not affected) |
- phpunit <not-affected> (Vulnerable code not present in a Debian released version in unstable)
https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243
Introduced by: https://github.com/sebastianbergmann/phpunit/issues/5860 (12.5.21, 13.1.5)
Fixed by: https://github.com/sebastianbergmann/phpunit/pull/6592 (12.5.22, 13.1.6)