{"id":"CVE-2017-9841","details":"Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a \"\u003c?php \" substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.","aliases":["GHSA-r7c9-c69m-rph8"],"modified":"2026-04-16T06:24:22.511633612Z","published":"2017-06-27T17:29:00.177Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9841"},{"type":"WEB","url":"http://www.securityfocus.com/bid/101798"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039812"},{"type":"ADVISORY","url":"http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201711-15"},{"type":"FIX","url":"https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5"},{"type":"FIX","url":"https://github.com/sebastianbergmann/phpunit/pull/1956"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sebastianbergmann/phpunit","events":[{"introduced":"0"},{"last_affected":"c062dddcb68e44b563f66ee319ddae2b5a322a90"},{"introduced":"49f1c93ee37d10ffba6ce287d67110547b40b1d7"},{"fixed":"a9de0dbafeb6b1391b391fbb034734cb0af9f67c"},{"introduced":"130104cf796a88dd1547dc5beb8bd555c2deb55e"},{"last_affected":"3ee1c1fd6fc264480c25b6fb8285edefe1702dab"},{"fixed":"284a69fb88a2d0845d23f42974a583d8f59bf5a5"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.8.27"},{"introduced":"5.0.0"},{"fixed":"5.6.3"},{"introduced":"8.0.0"},{"last_affected":"8.5.0"}]}}],"versions":["3.5.0RC2","3.5.0beta1","3.6.0","3.6.0RC1","3.6.0RC2","3.6.0RC3","3.6.0RC4","3.6.1","3.6.2","3.7.0","3.7.0RC2","3.7.0RC3","3.7.0RC4","3.7.0RC5","4.8.0","4.8.1","4.8.10","4.8.11","4.8.12","4.8.13","4.8.14","4.8.16","4.8.17","4.8.18","4.8.19","4.8.2","4.8.20","4.8.21","4.8.22","4.8.23","4.8.24","4.8.25","4.8.26","4.8.27","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.8.9","5.4.0","5.6.0","5.6.1","5.6.2","8.0.0","8.4.0","8.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9841.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}