CVE-2026-59859
Kiota’s PHP generator (prior to 1.32.4) embeds OpenAPI-derived strings directly into PHP double-quoted literals via SanitizeDoubleQuote(), without escaping $. This permits attacker-controlled interpolation constructs like ${…}, $var, or {$obj->prop} to inject arbitrary PHP code into generated ...