15 matches found
CVE-2026-46420 setup-php: Command Injection in Repository-Derived PHP Version Resolution
setup-php is a GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. From 2.25.0 prior to 2.37.1, shivammathur/setup-php resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and...
CVE-2026-46420
CVE-2026-46420 affects the GitHub Action setup-php (shivammathur/setup-php). From 2.25.0 up to, but not including, 2.37.1, the action resolves the PHP version from repository-controlled files (e.g., .php-version, composer.lock via platform-overrides.php, and composer.json via config.platform.php)...
Insertion of Sensitive Information into Log File
Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the process that configures GitHub tokens for Composer in workflows where an exact affected Composer version is pinned. An attacke...
GHSA-5WXR-W449-57CM Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions
Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions
Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...
cache-extensions (>=1.9.1 <=1.14.1) potentially affected by CVE-2026-46420 via setup-php (>=2.25.0 <=2.36.0)
setup-php NPM version =2.25.0, =1.9.1, =1.14.1 Source cves: CVE-2026-46420 Source advisory: SNYK:JS-SETUPPHP-16874161...
Command Injection
Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Command Injection via the process that resolves PHP version from repository-controlled files such as .php-version, composer.lock, or composer.json and incorporates the value into the...
Setup PHP: Command Injection in Repository-Derived PHP Version Resolution
Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...
GHSA-PQWM-Q9PV-PH8R Setup PHP: Command Injection in Repository-Derived PHP Version Resolution
Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...
CVE-2025-34231
Vasion Print formerly PrinterLogic Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 VA/SaaS deployments contain a blind and non-blind server-side request forgery SSRF vulnerability. The '/var/www/app/consolerelease/hp/badgeSetup.php' script is reachable...
CVE-2025-9644 itsourcecode Apartment Management System bill_setup.php sql injection
A vulnerability was determined in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /setting/billsetup.php. Executing manipulation of the argument txtBillType can lead to sql injection. It is possible to launch the attack remotely. The...
CVE-2024-13537 C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure
The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the fu...
superMicro CMS Security Vulnerability
superMicro CMS is a website builder by Patrick Taylor, an individual developer. A security vulnerability exists in version 3.11 of superMicro CMS, which is caused by an arbitrary code execution vulnerability in the parameter fonttype of the file setup.php...
CVE-2011-5160
Cross-site scripting XSS vulnerability in setup.php in OpenEMR 4 allows remote attackers to inject arbitrary web script or HTML via the site parameter...
phpStat 1.5 - setup.php Authentication Bypass (PHP) (2)
phpStat 1.5 - setup.php Authentication Bypass PHP 2 ? / PHP Stat Administrative User Authentication Bypass POC Exploit Code by Nikyt0x - Soulblack Security Research Advisory: http://www.soulblack.com.ar/repo/papers/phpstatadvisory.txt Saludos: Soulblack Staff, Status-x, NeosecurityTeam, KingMetal...