CVE-2026-41570
Description
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpunit/phpunitPackagist | >= 12.5.21, < 12.5.22 | 12.5.22 |
phpunit/phpunitPackagist | >= 13.1.5, < 13.1.6 | 13.1.6 |
Affected products
3- Range: = 13.1.5
cpe:2.3:a:phpunit_project:phpunit:12.5.21:*:*:*:*:-:*:*+ 1 more
- cpe:2.3:a:phpunit_project:phpunit:12.5.21:*:*:*:*:-:*:*
- cpe:2.3:a:phpunit_project:phpunit:13.1.5:*:*:*:*:-:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/sebastianbergmann/phpunit/pull/6592nvdIssue TrackingPatchWEB
- github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243nvdMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-qrr6-mg7r-m243ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41570ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-41570.yamlghsaWEB
News mentions
1- Danger of Libredtail [Guest Diary], (Wed, Apr 29th)SANS Internet Storm Center · Apr 30, 2026