Critical severity9.8CISA KEVNVD Advisory· Published Jun 27, 2017· Updated Jun 17, 2026
CVE-2017-9841
CVE-2017-9841
Description
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpunit/phpunitPackagist | >= 4.8.19, < 4.8.28 | 4.8.28 |
phpunit/phpunitPackagist | >= 5.0.10, < 5.6.3 | 5.6.3 |
Affected products
3- cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*Range: >=8.0.0,<=8.5.0
Patches
Vulnerability mechanics
References
14- github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5nvdPatchThird Party AdvisoryWEB
- github.com/sebastianbergmann/phpunit/pull/1956nvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party AdvisoryWEB
- web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/nvdThird Party Advisory
- github.com/advisories/GHSA-r7c9-c69m-rph8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9841ghsaADVISORY
- security.gentoo.org/glsa/201711-15nvdThird Party AdvisoryWEB
- web.archive.org/web/20170701212357/http://phpunit.vulnbusters.comghsaWEB
- www.securityfocus.com/bid/101798nvdBroken LinkWEB
- www.securitytracker.com/id/1039812nvdBroken LinkWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/CVE-2017-9841.yamlghsaWEB
- github.com/sebastianbergmann/phpunit/commit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412ghsaWEB
- github.com/sebastianbergmann/phpunit/pull/1955ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
News mentions
0No linked articles in our index yet.