Description
PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue.
Published: 2026-01-30
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch
AI Analysis

Impact

This vulnerability allows an attacker who can write to a directory that a user later uses as the current working directory to inject arbitrary PHP code via a file named .psysh.php. When PsySH starts it automatically loads and executes such a file, so a privileged user running PsySH will execute the attacker’s code with the same privileges. The flaw stems from unsanitized path handling and is classified as CWE‑427, an environment variable or path manipulation issue leading to arbitrary code execution. The attack, if successful, grants complete control over the system under the victim’s permissions, which can be exploited by root, CI runners, or any other privileged account that launches PsySH.

Affected Systems

Affected products include the PsySH console from bobthecow, specifically versions earlier than 0.11.23 and 0.12.19. Downstream consumers that embed PsySH, such as Laravel Tinker (php artisan tinker), inherit the same risk because they rely on the same auto‑load mechanism. Any user who runs these tools with elevated privileges from a directory that is writable by an attacker is susceptible.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is local; it requires the attacker to write a malicious .psysh.php file to a directory that the victim will later use as the current working directory when launching PsySH or a dependent tool. Once the victim runs the tool with elevated privileges, arbitrary code execution occurs, effectively escalating privileges to the user’s level.

Generated by OpenCVE AI on April 18, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch versions 0.11.23 or 0.12.19 from PsySH releases
  • If patching is not immediately possible, avoid launching PsySH or any tool that embeds it while the current working directory is an attacker‑writable location
  • Restrict filesystem permissions so that only trusted users can write into directories that may be used as the current working directory for privileged executions

Generated by OpenCVE AI on April 18, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4486-gxhx-5mg7 PsySH has Local Privilege Escalation via CWD .psysh.php auto-load
History

Fri, 27 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Psysh
Psysh psysh
CPEs cpe:2.3:a:psysh:psysh:*:*:*:*:*:*:*:*
Vendors & Products Psysh
Psysh psysh

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Bobthecow
Bobthecow psysh
Vendors & Products Bobthecow
Bobthecow psysh

Mon, 02 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue.
Title PsySH has Local Privilege Escalation via CWD .psysh.php auto-load
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Bobthecow Psysh
Psysh Psysh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T15:45:55.276Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25129

cve-icon Vulnrichment

Updated: 2026-02-02T15:44:51.430Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T21:15:58.260

Modified: 2026-02-27T20:36:55.680

Link: CVE-2026-25129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses