Attackers send a POST request to the vulnerable URI. If the server is misconfigured to allow public access to the /vendor directory, the code executes immediately. Vulnerability Details : CVE-2017-9841
CVE stands for Common Vulnerabilities and Exposures, which is a list of entries—containing an identification number, a description, and at least one public exploit—for a specific vulnerability. The mention of a CVE in relation to PHPUnit indicates there's a publicly known vulnerability that might affect applications using a vulnerable version of PHPUnit. vendor phpunit phpunit src util php eval-stdin.php cve
| CVE ID | Description | Vulnerable Versions | Patched Versions | CVSS v3 Score | | :--- | :--- | :--- | :--- | :--- | | CVE-2017-9841 | Remote Code Execution (RCE) via /src/Util/PHP/eval-stdin.php | 4.x before 4.8.28, 5.x before 5.6.3 | 4.8.28 & 5.6.3 or later | 9.8 (Critical) | Attackers send a POST request to the vulnerable URI