CVE-2026-24765
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
Description
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
INFO
Published Date :
Jan. 27, 2026, 10:15 p.m.
Last Modified :
Feb. 6, 2026, 1:15 p.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | MITRE-CVE |
Solution
- Update PHPUnit to a version that addresses unsafe deserialization.
- Ensure no malicious .coverage files exist before PHPT tests.
- Implement secure CI/CD practices like ephemeral runners.
- Review and restrict access to coverage file locations.
Public PoC/Exploit Available at Github
CVE-2026-24765 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-24765.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-24765 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-24765
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
2012 and 2017 revival
PHP Batchfile JavaScript Hack CSS Lua Blade
PHP Code to support a volunteer organization's timesheet application. Fully creation of Vishal Khapre. Ported from Java to PHP to reduce hosting costs for non profit organization.
PHP HTML CSS JavaScript Twig
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-24765 vulnerability anywhere in the article.
-
Daily CyberSecurity
Safety Broken: PyTorch “Safe” Mode Bypassed by Critical RCE Flaw
The development team behind PyTorch, the backbone of modern deep learning and AI research, has patched a high-severity vulnerability that breaks the trust of its most security-conscious feature. Track ... Read more
-
Daily CyberSecurity
CVE-2026-24765: PHPUnit Vulnerability Exposes CI/CD Pipelines to RCE
The maintainers of PHPUnit, the industry-standard testing framework for PHP, have released a critical security update to address a high-severity vulnerability that turns the testing process itself int ... Read more
-
Daily CyberSecurity
CVE-2026-24002: Critical Sandbox Escape Turns Grist Spreadsheets into RCE Weapons
A seemingly innocent spreadsheet formula could be the key to compromising entire organizations, thanks to a critical vulnerability uncovered by Cyera Research Labs in Grist-Core. The flaw, tracked as ... Read more
The following table lists the changes that have been made to the
CVE-2026-24765 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Feb. 06, 2026
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html -
New CVE Received by [email protected]
Jan. 27, 2026
Action Type Old Value New Value Added Description PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda Added Reference https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63 Added Reference https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50 Added Reference https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8 Added Reference https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52 Added Reference https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33 Added Reference https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p