Command Injection Vulnerability in setup-php by Shivam Mathur
CVE-2026-46420

5.6MEDIUM

Key Information:

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-46420?

The setup-php action, which simplifies the configuration of PHP environments on GitHub Actions, is vulnerable to command injection due to its handling of PHP version resolution from certain repository-controlled files. Specifically, from versions 2.25.0 to 2.37.0, inadequate validation of version constraints can lead to the execution of arbitrary commands if untrusted content is checked out in workflows. This vulnerability poses a risk when workflows utilize the pull_request_target event, as it allows attackers to control input to the setup scripts. Users are urged to upgrade to version 2.37.1 or later to mitigate this risk.

Affected Version(s)

setup-php >= 2.25.0, < 2.37.1

References

CVSS V3.1

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.