What is GHSA-pqwm-q9pv-ph8r?

GHSA-pqwm-q9pv-ph8r is a security advisory published by GitHub Security Advisories with Medium severity. Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Which CVE IDs does GHSA-pqwm-q9pv-ph8r cover?

GHSA-pqwm-q9pv-ph8r covers the following CVE IDs: CVE-2026-46420. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-pqwm-q9pv-ph8r?

GHSA-pqwm-q9pv-ph8r has a CVSS v3 base score of 5.6, published by GitHub Security Advisories.

Which products are affected by GHSA-pqwm-q9pv-ph8r?

GHSA-pqwm-q9pv-ph8r affects 1 product, including: actions/shivammathur/setup-php:\u003e= 2.25.0, \u003c 2.37.1.

GHSA-pqwm-q9pv-ph8rMediumCVSS 5.6

Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Vendor

GitHub Security Advisories

Published

May 20, 2026

Last Modified

May 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-46420 →

📋 Description

### Summary A command injection vulnerability was identified in `shivammathur/setup-php` when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, `setup-php` may read the PHP version from: - `.php-version` - `composer.lock` via `platform-overrides.php` - `composer.json` via `config.platform.php` If an attacker can influence one of these files and the workflow executes `setup-php` in a trusted context, they may be able to execute commands on the GitHub Actions runner. ### Impact This issue is exploitable when `setup-php` is run after checking out attacker-controlled repository contents and resolves the PHP version from repository files. The most significant example is a privileged workflow such as `pull_request_target` that checks out untrusted pull request code before invoking `setup-php`. Similar risk can also arise in other workflows that operate on attacker-controlled refs, branches, or repository contents in a trusted context. This is not a separate security boundary when an attacker can already modify the workflow definition itself or directly control the `php-version` workflow input, since that level of access already permits arbitrary command execution in GitHub Actions. ### Technical details In affected versions, repository-derived PHP version values were insufficiently constrained before being incorporated into the generated shell or PowerShell setup script executed by the action. This could allow attacker-controlled values from supported repository files to influence script execution in trusted workflow contexts. ### Remediation If you are using `shivammathur/setup-php@v2`, no action is needed on your end. Users who pin the setup-php release version or release version SHA should upgrade to a patched version. The fix validates PHP version inputs, constrains manifest-derived versions, hardens script generation at the execution, and includes additional checks in related input-handling paths.

🎯 Affected products1

actions/shivammathur/setup-php:>= 2.25.0, < 2.37.1

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (3)