[wp-trac] [WordPress Trac] #64646: Vulnerability in /public/wp-includes/sodium_compat/composer.json.
WordPress Trac
noreply at wordpress.org
Mon Feb 16 16:56:37 UTC 2026
#64646: Vulnerability in /public/wp-includes/sodium_compat/composer.json.
------------------------------+--------------------------------
Reporter: artsiomreutovich | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 6.9.1
Severity: critical | Resolution: invalid
Keywords: needs-patch | Focuses: php-compatibility
------------------------------+--------------------------------
Changes (by johnbillion):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
@artsiomreutovich When you submitted this report why did you ignore the
warning telling you not to publicly submit a security vulnerability report
here?
I presume you're actually referring to
https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3
-c3rp-c85p which is a vulnerability in PHPUnit that your AI-assisted or
automated scanning tool has picked up due to the dependencies in
composer.json for `sodium_compat`.
Please be ''significantly'' more careful in the future, especially when
you use AI or automated tools to generate bug reports or report security
vulnerabilities: https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64646#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list