(e.g., nginx.conf or .htaccess ) to confirm that direct access to /vendor/ is restricted to localhost or forbidden entirely. Share public link
?>
If a project includes PHPUnit as a dependency (stored in the vendor directory) and that directory is publicly accessible via a web server, an attacker can send a specially crafted HTTP request to execute arbitrary PHP code on the server.
Using the server to host phishing pages or malware.
Date: March 23, 2026.
: An attacker can send a crafted HTTP POST request containing PHP code starting with
CVE-2017-9841 affects all PHPUnit versions before the following patched releases:
The specific path /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php points directly to , one of the most persistent and actively scanned Remote Code Execution (RCE) flaws in the history of web application security. Discovered originally in 2017, this flaw stems from a testing utility bundled inside PHPUnit , the premier testing framework for the PHP programming language.
Several open-source tools can help you scan for this vulnerability at scale:
Many applications are built, deployed, and then rarely updated. Legacy sites running older PHP versions or old Composer lock files are prime targets.
(e.g., nginx.conf or .htaccess ) to confirm that direct access to /vendor/ is restricted to localhost or forbidden entirely. Share public link
?>
If a project includes PHPUnit as a dependency (stored in the vendor directory) and that directory is publicly accessible via a web server, an attacker can send a specially crafted HTTP request to execute arbitrary PHP code on the server. vendor phpunit phpunit src util php eval-stdin.php cve
Using the server to host phishing pages or malware.
Date: March 23, 2026.
: An attacker can send a crafted HTTP POST request containing PHP code starting with
CVE-2017-9841 affects all PHPUnit versions before the following patched releases: Date: March 23, 2026
The specific path /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php points directly to , one of the most persistent and actively scanned Remote Code Execution (RCE) flaws in the history of web application security. Discovered originally in 2017, this flaw stems from a testing utility bundled inside PHPUnit , the premier testing framework for the PHP programming language.
Several open-source tools can help you scan for this vulnerability at scale: Several open-source tools can help you scan for
Many applications are built, deployed, and then rarely updated. Legacy sites running older PHP versions or old Composer lock files are prime targets.