{"url":"http://public2.vulnerablecode.io/api/packages/373615?format=json","purl":"pkg:composer/phpunit/phpunit@12.5.21","type":"composer","namespace":"phpunit","name":"phpunit","version":"12.5.21","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.8.28","latest_non_vulnerable_version":"13.1.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80763?format=json","vulnerability_id":"VCID-mkna-etnx-vudj","summary":"PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets \" as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41570","reference_id":"","reference_type":"","scores":[{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24874","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41570"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-41570.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2026-41570.yaml"},{"reference_url":"https://github.com/sebastianbergmann/phpunit","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sebastianbergmann/phpunit"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41570","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41570"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/pull/6592","reference_id":"6592","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T16:01:31Z/"}],"url":"https://github.com/sebastianbergmann/phpunit/pull/6592"},{"reference_url":"https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243","reference_id":"GHSA-qrr6-mg7r-m243","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T16:01:31Z/"}],"url":"https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373616?format=json","purl":"pkg:composer/phpunit/phpunit@12.5.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.22"},{"url":"http://public2.vulnerablecode.io/api/packages/373618?format=json","purl":"pkg:composer/phpunit/phpunit@13.1.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@13.1.6"}],"aliases":["CVE-2026-41570","GHSA-qrr6-mg7r-m243"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mkna-etnx-vudj"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpunit/phpunit@12.5.21"}