Command Injection Vulnerability in setup-php by Shivam Mathur
CVE-2026-46420
5.6MEDIUM
What is CVE-2026-46420?
The setup-php action, which simplifies the configuration of PHP environments on GitHub Actions, is vulnerable to command injection due to its handling of PHP version resolution from certain repository-controlled files. Specifically, from versions 2.25.0 to 2.37.0, inadequate validation of version constraints can lead to the execution of arbitrary commands if untrusted content is checked out in workflows. This vulnerability poses a risk when workflows utilize the pull_request_target event, as it allows attackers to control input to the setup scripts. Users are urged to upgrade to version 2.37.1 or later to mitigate this risk.
Affected Version(s)
setup-php >= 2.25.0, < 2.37.1
