MEDIUM
shivammathur
CVE published 2026-07-17
CVE-2026-46420
CVE-2026-46420 is a medium severity vulnerability in the setup-php GitHub action. The action is used to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. The vulnerability allows for command injection on a GitHub Actions runner when workflows such as pull_request_target check out attacker-controlled contents before invoking setup-php. This issue is fixed in version 2.37.1. Us [truncated]