What is CVE-2026-24765?

CVE-2026-24765 is a high-severity vulnerability in Sebastianbergmann Phpunit, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2026-01-27.

How severe is CVE-2026-24765?

High severity. CVSS v3 base score is 7.8 out of 10.

Deserialization in Sebastianbergmann Phpunit

CVE-2026-24765

PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability…

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (46.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Sebastianbergmann Phpunit — versions < 8.5.52, >= 9.0.0, < 9.6.33, >= 10.0.0, < 10.5.62

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p (x_refsource_CONFIRM)
https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda (x_refsource_MISC)
https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63 (x_refsource_MISC)
https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50 (x_refsource_MISC)
https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8 (x_refsource_MISC)
https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52 (x_refsource_MISC)
https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-24765?: CVE-2026-24765 is a high-severity vulnerability in Sebastianbergmann Phpunit, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2026-01-27.
How severe is CVE-2026-24765?: High severity. CVSS v3 base score is 7.8 out of 10.