| Package | phpunit |
|---|---|
| Version | 7.5.6-1+deb10u1 (buster) |
| Related CVEs | CVE-2026-24765 |
PHPUnit is a testing framework for PHP. A vulnerability has been
discovered involving unsafe deserialization of code coverage data in
PHPT test execution. The vulnerability exists in the
cleanupForCoverage() method, which deserializes code coverage files
without validation, potentially allowing remote code execution if
malicious .coverage files are present prior to the execution of the
PHPT test.
For Debian 10 buster, these problems have been fixed in version 7.5.6-1+deb10u1.
We recommend that you upgrade your phpunit packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.