{{ message }}
Security: php/pie
Security
SECURITY.md
The following versions will receive security updates.
| Version | Security updates |
|---|---|
| 1.5.x | β |
| 1.4.x | β |
| 1.3.x | β |
| < 1.3 | β |
Please do not publicly disclose security vulnerabilities.
If you discover something that you think may be a vulnerability, please report it privately on GitHub.
- Go to the Security and Quality tab in the PIE repository.
- Click Report a vulnerability and fill in the form with as much information as possible.
- Hit submit, and we'll look into it as soon as possible.
Thank you for responsibly disclosing issues in PIE π₯§
-
Self-update attestation verification is scoped to `--owner=php`, not `--repo=php/pie`GHSA-p4j8-36rr-gjfq published
May 26, 2026 by asgrimLow -
WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)GHSA-8xmh-xrvp-hwrf published
May 26, 2026 by asgrimModerate -
php-ext.build-path traversal escapes PIE's vendor extract directoryGHSA-vcv4-gmjc-mxvq published
May 26, 2026 by asgrimModerate -
PIE self-update accepts any historically-attested `pie.phar` (rollback gap)GHSA-f67f-c344-cqqr published
May 26, 2026 by asgrimModerate -
Sudo-elevated root code execution via TOCTOU between `self-update` verify and writeGHSA-pm6p-666q-hvj5 published
May 26, 2026 by asgrimHigh -
Sudo-elevated arbitrary file deletion via `extra.pie-installed-binary` metadata in `UninstallUsingUnlink`GHSA-h842-vjwg-pxxx published
May 26, 2026 by asgrimHigh
Learn more about advisories related to php/pie in the GitHub Advisory Database
You canβt perform that action at this time.