CVE-2026-25129

Name of the Vulnerable Software and Affected Versions PsySH versions prior to 0.11.23 PsySH versions prior to 0.12.19

Description PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a .psysh.php file from the Current Working Directory (CWD) on startup. An attacker who can write to a directory that a victim later uses as their CWD when launching PsySH can trigger arbitrary code execution in the victim's context. This is a CWD configuration poisoning issue. If a privileged user launches PsySH with CWD set to an attacker-writable directory containing a malicious .psysh.php, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH, such as Laravel Tinker, inherit this risk.

Recommendations Update PsySH to version 0.11.23 or later. Update PsySH to version 0.12.19 or later.