Setup PHP: Command Injection in Repository-Derived PHP Version Resolution — CVE-2026-46420

Summary

### Summary A command injection vulnerability was identified in `shivammathur/setup-php` when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, `setup-php` may read the PHP version from: - `.php-version` - `composer.lock` via `platform-overrides.php` - `composer.json` via `config.platform.php` If an attacker can…

Product

actions: shivammathur/setup-php

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories