Cyber Resilience

CVE-2026-25129

MediumPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25129 is a medium-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Psysh Psysh. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

PsySH, a runtime developer console, interactive debugger, and REPL for PHP, contains a vulnerability in versions prior to 0.11.23 and 0.12.19 where it automatically loads and executes a `.psysh.php` file from the current working directory (CWD) upon startup. This constitutes a CWD configuration poisoning issue (CWE-427), enabling arbitrary code execution in the context of the user running PsySH. Downstream consumers embedding PsySH, such as Laravel Tinker via `php artisan tinker`, inherit the same risk.

An attacker with write access to a directory can place a malicious `.psysh.php` file there. Exploitation occurs if a victim launches PsySH with that attacker-controlled directory as the CWD, triggering execution of the attacker's code under the victim's privileges. This requires local access (AV:L), low privileges from the attacker (PR:L), high attack complexity (AC:H), and user interaction (UI:R) from the victim, such as navigating to the directory in their shell. If the victim operates with elevated privileges, such as root, a CI runner, or an ops/debug account, the result is local privilege escalation, granting the attacker high confidentiality, integrity, and availability impacts (CVSS 6.7).

The PsySH security advisory (GHSA-4486-gxhx-5mg7) and release notes for versions 0.11.23 and 0.12.19 detail the patch, which addresses the automatic loading of `.psysh.php` from the CWD. Security practitioners should upgrade to these fixed versions and advise users to avoid running PsySH or embedded tools like Laravel Tinker from untrusted or writable directories.

EU & UK References

Vulnerability details

PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to…

more

a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability enables arbitrary code execution via auto-loading of attacker-placed .psysh.php from CWD (CWE-427), directly facilitating local privilege escalation (T1068) when a higher-privileged victim runs PsySH/tinker after changing to the poisoned directory, which relies on user interaction to execute the malicious config file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23741Shared CWE-427
CVE-2026-42171Shared CWE-427
CVE-2026-4134Shared CWE-427
CVE-2026-2361Shared CWE-427
CVE-2026-2360Shared CWE-427
CVE-2026-23740Shared CWE-427
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2025-48503Shared CWE-427
CVE-2026-34054Shared CWE-427

Affected Assets

psysh
psysh
≤ 0.11.23 · 0.12.0 — 0.12.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches in 0.11.23/0.12.19 that eliminate automatic execution of attacker-controlled .psysh.php from the CWD.

prevent

Limits the impact of CWD poisoning to the privileges of the PsySH process, blocking local privilege escalation to root or CI-runner accounts.

prevent

Enforces access restrictions on directories that could become a victim's CWD, reducing the attacker's ability to plant a malicious .psysh.php file.

References