Phpunity · Phpunit · CVE-2026-41570
**Name of the Vulnerable Software and Affected Versions**
PHPUnit versions prior to 12.5.22
PHPUnit versions prior to 13.1.6
**Description**
PHPUnit forwards PHP INI settings to child processes as `-d name=value` command-line arguments without neutralizing INI metacharacters. Because the PHP INI parser treats newlines as directive separators, an attacker who can influence an INI value can inject arbitrary directives into the child process configuration. This can be achieved by modifying `<ini name="…" value="…"/>` entries in `phpunit.xml` or `phpunit.xml.dist`, or by influencing settings inherited from the host PHP runtime via `ini get all()`. By setting the `auto prepend file` directive to an attacker-controlled path, remote code execution can be achieved in the child process. This issue is particularly relevant in Poisoned Pipeline Execution scenarios, where an untrusted contributor submits a pull request modifying `phpunit.xml` with invisible newline characters that are executed by a CI system without isolation. The vulnerable function is `PHPUnitUtilPHPJobRunner::settingsToParameters()`.
**Recommendations**
Update to version 12.5.22.
Update to version 13.1.6.
Audit `phpunit.xml` and `phpunit.xml.dist` to ensure no `<ini value="…">` entries contain newline, `"`, or `;` characters.
Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs.
Require human review before executing pull requests from forks.
Enforce branch protection on workflows that handle secrets.
Restrict modification access to `phpunit.xml`, treating `<ini>` entries as security-sensitive.
Ensure the host `php.ini` does not contain values with embedded newlines or unescaped metacharacters.