CVE-2017-9841
PHPUnit Command Injection Vulnerability
CVSS
—
No CVSS
EPSS
100.0%
p100
KEV
YES
Feb 15, 2022
Exploit Today
80
0-100
Published: — · Last modified: —
100.0%EPSS · 30 days100.0%
2026-06-302026-07-16
Product
PHPUnit / PHPUnit
Vulnerability
PHPUnit Command Injection Vulnerability
Added to KEV
Feb 15, 2022
Remediate by
Aug 15, 2022
Known ransomware use
No
Summary description
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Required action
Apply updates per vendor instructions.
Notes
https://nvd.nist.gov/vuln/detail/CVE-2017-9841
No related CVEs by CWE or product.