SCA: security update for datahihi1/tiny-env (GHSA-72cm-7236-h43r)

medium Tenable Cloud Security Plugin ID 435232

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did
not properly strip inline comments inside .env values. This could lead to unexpected behavior or
misconfiguration, where variables contain unintended characters (including # or comment text).
Applications depending on strict environment values may expose logic errors, insecure defaults, or failed
authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a
temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.
(CVE-2025-58759)

See Also

https://github.com/advisories/GHSA-72cm-7236-h43r

Plugin Details

Severity: Medium

ID: 435232

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 9/10/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-58759

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/9/2025

Vulnerability Publication Date: 9/9/2025

Reference Information

CVE: CVE-2025-58759

cwe: CWE-20