### Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example `tools: composer:2.9.7`. Workflows using the default Composer version, `composer:v2`, or no pinned Composer version are not affected through setup-php, because those Composer URLs have been updated to patched Composer releases for all setup-php versions. setup-php does not dir

### Summary A command injection vulnerability was identified in `shivammathur/setup-php` when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, `setup-php` may read the PHP version from: - `.php-version` - `composer.lock` via `platform-overrides.php` - `composer.json` via `config.platform.ph