CVE-2017-9841

CVE-2017-9841 (PHPUnit) affects the Util/PHP/eval-stdin.php component of PHPUnit. The vulnerability allows remote code execution when an HTTP POST request starts with the string "<?php" (or with a leading '

CVE-2013-4744

The CVE-2013-4744 entry concerns a Cross-site Scripting (XSS) vulnerability in the TYPO3 ecosystem's PHPUnit extension. Affected component: the PHPUnit extension used with TYPO3, versions before 3.5.15. Root cause is not detailed in the provided documents beyond the XSS claim; vectors are describ...

CVE-2026-24765

CVE-2026-24765 affects PHPUnit; the vulnerability stems from unsafe deserialization of code coverage data during PHPT test execution. In older releases (pre-12.5.8, 11.5.50, 10.5.62, 9.6.33, 8.5.52), PHPUnit deserializes .coverage files without validating allowed classes in cleanupForCoverage(), ...

CVE-2026-41570

PHPUnit versions 12.5.21 and 13.1.5 forward PHP INI settings to child processes as -d name=value without neutralizing metacharacters, allowing newline-based directive injection. This can lead to remote code execution via auto_prepend_file in the child process. Patches are available in PHPUnit 12....