The impact is severe. Since the web server typically runs PHP processes as a specific user (often www-data ), successful exploitation grants the attacker:
directory is publicly accessible, attackers can call this file directly via a web browser or tool like Alert Logic Support Center vendor phpunit phpunit src util php eval-stdin.php exploit
Add a location block to deny access to the vendor directory. The impact is severe