Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Cve Jun 2026

vendor/phpunit/phpunit src/util/php/eval-stdin.php

The original code used a dangerous combination of functions: eval('?> ' . file_get_contents('php://input')); Use code with caution. Copied to clipboard

location ~ /vendor deny all; return 404; vendor phpunit phpunit src util php eval-stdin.php cve

composer require phpunit/phpunit:">=5.6.3"

| Item | Detail | |-------------------|--------| | | CVE-2017-9841 | | Component | PHPUnit eval-stdin.php | | Attack vector | HTTP request to vulnerable script | | Impact | Remote Code Execution (RCE) | | Fix | Update PHPUnit, remove file, block /vendor/ | vendor/phpunit/phpunit src/util/php/eval-stdin

POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 Host: target-vulnerable-site.com Content-Type: text/html Use code with caution.

, or any newer version (like 6.x+). The patch changed the input source to php://stdin , which cannot be populated via web-based HTTP requests. Restrict Access: Block external access to the folder using your web server configuration (e.g., for Apache or blocks for Nginx). Cleanup Production: , or any newer version (like 6

The vulnerability is classified as an bug and carries a maximum CVSS v3.1 score of 9.8 (Critical) . Affected Versions PHPUnit 4.x versions prior to 4.8.28 PHPUnit 5.x versions prior to 5.6.3 The Root Cause Code