Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "
CVE-2017-9841
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-02-15), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
June 27, 2017
Last Modified
April 21, 2026
Advisory Details (5)
Auto-updated Apr 30, 2026CVE-2017-9841 RCE vulnerability in phpunit
http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/PHPUnit: Remote code execution (GLSA 201711-15) — Gentoo security
https://security.gentoo.org/glsa/201711-15Fix insulated tests with phpdbg by nicolas-grekas · Pull Request #1956 · sebastianbergmann/phpunit · GitHub
https://github.com/sebastianbergmann/phpunit/pull/1956Correct fix for #1956 · sebastianbergmann/phpunit@284a69f · GitHub
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5Patch Availability(1)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | phpunit (5.1.3-1+ubuntu3+esm1) @ xenial | 2026-07-07 | ubuntu |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| phpunit/phpunit | 5.0.10 ... 5.6.2 (48 versions) | 5.6.3 | — |
All Vendor Advisories
(1)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
Data Freshness Timeline
(refreshed 73× in last 7d / 337× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 471 total refreshes for this CVE.
- 2026-07-07 15:29 UTCEG score recompute
- 2026-07-07 15:29 UTCVendor advisory
- 2026-07-07 11:38 UTCEG score recompute
- 2026-07-07 11:38 UTCVendor advisory
- 2026-07-07 07:48 UTCEG score recompute
- 2026-07-07 03:58 UTCEG score recompute
- 2026-07-07 03:58 UTCVendor advisory
- 2026-07-07 00:07 UTCEG score recompute
- 2026-07-07 00:07 UTCVendor advisory
- 2026-07-06 20:18 UTCEG score recompute
- 2026-07-06 16:26 UTCEG score recompute
- 2026-07-06 12:36 UTCEG score recompute
- 2026-07-06 12:36 UTCVendor advisory
- 2026-07-06 08:46 UTCEG score recompute
- 2026-07-06 04:54 UTCEG score recompute
- 2026-07-06 04:54 UTCVendor advisory
- 2026-07-06 01:04 UTCEG score recompute
- 2026-07-06 01:04 UTCVendor advisory
- 2026-07-05 21:13 UTCEG score recompute
- 2026-07-05 21:13 UTCVendor advisory
- 2026-07-05 17:23 UTCEG score recompute
- 2026-07-05 17:23 UTCVendor advisory
- 2026-07-05 13:33 UTCEG score recompute
- 2026-07-05 13:33 UTCVendor advisory
- 2026-07-05 09:43 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-05 05:53 UTCEG score recompute
- 2026-07-05 02:02 UTCEG score recompute
- 2026-07-04 22:12 UTCEG score recompute
- 2026-07-04 22:12 UTCVendor advisory
- 2026-07-04 18:21 UTCEG score recompute
- 2026-07-04 14:30 UTCEG score recompute
- 2026-07-04 14:30 UTCVendor advisory
- 2026-07-04 10:40 UTCEG score recompute
- 2026-07-04 06:47 UTCEG score recompute
- 2026-07-04 06:47 UTCVendor advisory
- 2026-07-04 02:55 UTCEG score recompute
- 2026-07-03 23:06 UTCEG score recompute
- 2026-07-03 19:14 UTCEG score recompute
- 2026-07-03 19:14 UTCVendor advisory
- 2026-07-03 15:25 UTCEG score recompute
- 2026-07-03 15:25 UTCVendor advisory
- 2026-07-03 11:35 UTCEG score recompute
- 2026-07-03 07:44 UTCEG score recompute
- 2026-07-03 07:44 UTCVendor advisory
- 2026-07-03 03:53 UTCEG score recompute
- 2026-07-03 03:53 UTCVendor advisory
- 2026-07-03 00:03 UTCEG score recompute
- 2026-07-02 20:12 UTCEG score recompute
- 2026-07-02 20:12 UTCVendor advisory
- 2026-07-02 16:21 UTCEG score recompute
- 2026-07-02 16:21 UTCVendor advisory
- 2026-07-02 12:31 UTCEG score recompute
- 2026-07-02 12:31 UTCVendor advisory
- 2026-07-02 08:41 UTCEG score recompute
- 2026-07-02 04:52 UTCEG score recompute
- 2026-07-02 04:52 UTCVendor advisory
- 2026-07-02 01:02 UTCEG score recompute
- 2026-07-01 21:11 UTCEG score recompute
- 2026-07-01 21:11 UTCVendor advisory
- 2026-07-01 19:16 UTCCISA KEV update
- 2026-07-01 17:21 UTCEG score recompute
- 2026-07-01 17:21 UTCVendor advisory
- 2026-07-01 13:31 UTCEG score recompute
- 2026-07-01 13:31 UTCVendor advisory
- 2026-07-01 09:41 UTCEG score recompute
- 2026-07-01 09:41 UTCVendor advisory
- 2026-07-01 05:51 UTCEG score recompute
- 2026-07-01 02:00 UTCEG score recompute
- 2026-07-01 02:00 UTCVendor advisory
- 2026-06-30 22:10 UTCEG score recompute
- 2026-06-30 22:10 UTCVendor advisory
- 2026-06-30 18:20 UTCEG score recompute
- 2026-06-30 18:20 UTCVendor advisory
- 2026-06-30 14:30 UTCEG score recompute
- 2026-06-30 10:39 UTCEG score recompute
- 2026-06-30 06:49 UTCEG score recompute
- 2026-06-30 02:59 UTCEG score recompute
- 2026-06-30 02:59 UTCVendor advisory
- 2026-06-29 23:08 UTCEG score recompute
- 2026-06-29 23:08 UTCVendor advisory
- 2026-06-29 19:19 UTCEG score recompute
- 2026-06-29 19:19 UTCVendor advisory
- 2026-06-29 19:12 UTCCISA KEV update
- 2026-06-29 15:30 UTCEG score recompute
- 2026-06-29 15:30 UTCVendor advisory
- 2026-06-29 11:39 UTCEG score recompute
- 2026-06-29 11:39 UTCVendor advisory
- 2026-06-29 07:49 UTCEG score recompute
- 2026-06-29 07:49 UTCVendor advisory
- 2026-06-29 03:58 UTCEG score recompute
- 2026-06-29 03:58 UTCVendor advisory
- 2026-06-29 00:04 UTCEG score recompute
- 2026-06-29 00:04 UTCVendor advisory
- 2026-06-28 20:14 UTCEG score recompute
- 2026-06-28 20:14 UTCVendor advisory
- 2026-06-28 16:24 UTCEG score recompute
- 2026-06-28 16:24 UTCVendor advisory
- 2026-06-28 12:34 UTCEG score recompute
- 2026-06-28 12:34 UTCVendor advisory
- 2026-06-28 08:44 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCdrcrypterdotru/PHPUnit-GoScanFirst seen Aug 30, 2025
PHPUnit CVE-2017-9841 Scanner in Go clean and fire.
Open source ↗ - GitHub PoCK3ysTr0K3R/CVE-2017-9841-EXPLOITFirst seen Jun 10, 2025
A PoC exploit for CVE-2017-9841 - PHPUnit Remote Code Execution(RCE)
Open source ↗ - GitHub PoCChocapikk/CVE-2017-9841First seen Aug 27, 2023
PHPUnit RCE
Open source ↗ - GitHub PoCMrG3P5/CVE-2017-9841First seen Mar 13, 2023
A Tool for scanning CVE-2017-9841 with multithread
Open source ↗ - GitHub PoCMadExploits/PHPunit-ExploitFirst seen Dec 7, 2022
PHPunit Checker CVE-2017-9841 By MrMad
Open source ↗ - GitHub PoCp1ckzi/CVE-2017-9841First seen Apr 9, 2022
phpunit-shell | CVE_2017-9841
Open source ↗ - GitHub PoCakr3ch/CVE-2017-9841First seen Mar 20, 2022
RCE exploit for PHP Unit 5.6.2
Open source ↗ - Exploit-DBEDB-50702First seen Feb 2, 2022
PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
Open source ↗ - GitHub PoCincogbyte/laravel-phpunit-rce-masscanerFirst seen Jul 4, 2021
Masscanner for Laravel phpunit RCE CVE-2017-9841
Open source ↗ - GitHub PoCludy-dev/PHPUnit_eval-stdin_RCEFirst seen Sep 14, 2020
(CVE-2017-9841) PHPUnit_eval-stdin_php Remote Code Execution
Open source ↗
Frequently asked(6)
What is CVE-2017-9841?
When was CVE-2017-9841 disclosed?
Is CVE-2017-9841 actively exploited?
What is the CVSS score of CVE-2017-9841?
Which products are affected by CVE-2017-9841?
How do I remediate CVE-2017-9841?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2017-9841
Is Your Infrastructure Affected by CVE-2017-9841?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.