If you have ever run composer install on a legacy project, pulled a popular CMS like Drupal, WordPress, or Magento, or inherited a decade-old codebase, chances are you have—unknowingly—hosted this backdoor.

Marta opened the archive of the deployment logs and found two curious entries—POST requests from an IP on the fringe of their blocklist. No payload had run; the server had refused it that week because a firewall rule blocked requests lacking an internal header. A hairline of luck had saved them. She stared at the timestamps and felt the tightening in her chest that only relief can make: the universe had handed them a second chance.

A notable real-world impact was on using the Mailchimp and Mailchimp E-Commerce modules. These modules included PHPUnit as a dependency, making over 25,000 sites vulnerable. Attackers exploited the flaw to compromise these Drupal sites, leading Drupal to issue a public service announcement (PSA-2019-0904).

Date: March 23, 2026.

If you cannot update immediately, block access to the /vendor directory in your web server configuration (e.g., Nginx or Apache ).

The primary condition required for this vulnerability to be exploitable is that the vendor directory must be web-accessible.

If you cannot upgrade, the official patch modifies the file to read from php://stdin instead of php://input . However, upgrading is strongly preferred.

The keyword refers to one of the most persistent and scanned-for security flaws in the PHP ecosystem: CVE-2017-9841 .

This comprehensive analysis breaks down the anatomy of the vulnerability, explains why it persists, and details how you can secure your infrastructure. Anatomy of CVE-2017-9841

Inside the original Util/PHP/eval-stdin.php file, the core execution routine was written as: eval('?>' . file_get_contents('php://input')); Use code with caution. Why it is Dangerous

| CVE ID | Description | Vulnerable Versions | Patched Versions | CVSS v3 Score | | :--- | :--- | :--- | :--- | :--- | | CVE-2017-9841 | Remote Code Execution (RCE) via /src/Util/PHP/eval-stdin.php | 4.x before 4.8.28, 5.x before 5.6.3 | 4.8.28 & 5.6.3 or later | 9.8 (Critical) |

(or similar paths), which reads PHP code directly from standard input (stdin) and executes it without any authentication or validation. Vulnerability Type: Remote Code Execution (RCE) / Code Injection. CVSS Score: 9.8 (Critical). Affected Versions: PHPUnit before and versions 5.x before National Institute of Standards and Technology (.gov) 2. Why This Happens This vulnerability is typically exploited in production environments directory is accidentally exposed to the public internet.

<Directory "vendor/"> Require all denied </Directory>

Infecting the server to launch DDoS attacks. How to Fix and Prevent CVE-2017-9841

The file src/Util/PHP/eval-stdin.php was intended for internal testing purposes. It contains the following code (simplified):