CVE- 2026-24765 is a high-severity vulnerability in PHPUnit that allows Remote Code Execution by manipulating code coverage artifacts, with a CVSS score of 7.8. The flaw operates in the PHPT test runner, specifically in the cleanupForCoverage() method, which deserializes code coverage files without validation. According to the security advisory, this can lead to remote code execution if malicious .coverage files are present prior to the PHPT tests’ execution.
The issue requires local file write access to the location where PHPUnit stores code coverage files, making CI/CD pipelines a particular risk through malicious pull requests or compromised dependencies, as well as potential access in local development environments. Affected versions span multiple major releases, including PHPUnit 8, 9, 10, 11, and 12 older than the patched ranges (8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8), which have been released to mitigate the flaw.
To secure pipelines, the advisory urges Defence-in-Depth measures such as isolating runners, restricting execution with branch protection rules, and scanning artifacts for tampering.