PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.


Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.


Related Vulnerabilities