CVE-2017-9841 (Primary), related to component usage. Affected Component: <phpunit>/src/Util/PHP/eval-stdin.php Severity: Critical (CVSS 9.8) Affected Versions: PHPUnit before 4.8.28 and 5.x before 5.6.3.
Your vendor folder should never, ever be directly accessible by a web request. And your production server should never, ever see a --dev dependency. vendor phpunit phpunit src util php eval-stdin.php exploit