Command Injection Affecting setup-php package, versions >=2.25.0 <2.37.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.58% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SETUPPHP-16874161
  • published25 May 2026
  • disclosed20 May 2026
  • creditUnknown

Introduced: 20 May 2026

CVE-2026-46420  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade setup-php to version 2.37.1 or higher.

Overview

setup-php is a Setup PHP for use with GitHub Actions

Affected versions of this package are vulnerable to Command Injection via the process that resolves PHP version from repository-controlled files such as .php-version, composer.lock, or composer.json and incorporates the value into the generated setup script. An attacker can execute arbitrary commands on the GitHub Actions runner by injecting malicious values into these files when the workflow runs in a trusted context after checking out attacker-controlled repository contents. This is only exploitable if the workflow executes after checking out untrusted code and resolves the PHP version from repository files in a privileged context.

CVSS Base Scores

version 4.0
version 3.1