CyberSec.Space Logo
Back to CVE Browser

CVE-2017-9841

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score62.3940%
EPSS Percentile86.88th
PublishedJun 27, 2017
Last ModifiedApr 21, 2026

Vulnerability Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Affected Platforms (CPE)

πŸ“¦
Phpunit Project

Phpunit

<= 4.8.27
πŸ“¦
Phpunit Project

Phpunit

>= 5.0.0 and < 5.6.3
πŸ“¦
Oracle

Communications Diameter Signaling Router

>= 8.0.0 and <= 8.5.0

References & Advisories

πŸ”— http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
πŸ”— http://www.securityfocus.com/bid/101798
πŸ”— http://www.securitytracker.com/id/1039812
πŸ”— https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
πŸ”— https://github.com/sebastianbergmann/phpunit/pull/1956
πŸ”— https://security.gentoo.org/glsa/201711-15
πŸ”— https://www.oracle.com/security-alerts/cpuoct2021.html
πŸ”— http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

Related Vulnerabilities

CVE-2013-47444.3

Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitr...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...

CVE-2026-121905.3

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the compo...

CVE-2026-121895.3

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzm...