{"id":76021,"date":"2026-01-30T23:42:48","date_gmt":"2026-01-30T20:12:48","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-25129-psysh-has-local-privilege-escalation-via-cwd-psysh-php-auto-load\/"},"modified":"2026-01-30T23:42:48","modified_gmt":"2026-01-30T20:12:48","slug":"cve-2026-25129-psysh-has-local-privilege-escalation-via-cwd-psysh-php-auto-load","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-25129-psysh-has-local-privilege-escalation-via-cwd-psysh-php-auto-load\/","title":{"rendered":"CVE-2026-25129 &#8211; PsySH has Local Privilege Escalation via CWD .psysh.php auto-load"},"content":{"rendered":"<p>CVE ID : CVE-2026-25129<\/p>\n<p>Published :  Jan. 30, 2026, 8:12 p.m. | 58\u00a0minutes ago<\/p>\n<p>Description : PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim&#8217;s context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user\u2019s context. If a privileged user (e.g., root, a CI runner, or an ops\/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user\u2019s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim\u2019s privileges. Versions 0.11.23 and 0.12.19 patch the issue.<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-25129 Published : Jan. 30, 2026, 8:12 p.m. | 58\u00a0minutes ago Description : PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-76021","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=76021"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76021\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=76021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=76021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=76021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}