The vulnerability exists in the eval-stdin.php file, which was originally intended to help run tests in isolated environments. In affected versions, the script uses a PHP eval() function to process raw data from the HTTP request body.
If an attacker can trigger this file remotely, they can pipe arbitrary PHP code into php://stdin , and the server will execute it. index of vendor phpunit phpunit src util php eval-stdin.php
Or, more aggressively (if PHPUnit exists elsewhere): The vulnerability exists in the eval-stdin