$ curl --data "<?php echo(pi());" "https://tools.wmflabs.org/mwstew/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" 3.1415926535898
This is CVE-2017-9841 / http://phpunit.vulnbusters.com/
I deleted the problematic file for now (tools.mwstew@tools-bastion-03:~/public_html$ rm vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php), but PHPUnit needs to be upgraded to the latest 4.x release to avoid the issue in the future. Also it would be good to not install dev dependencies with composer install --no-dev.
I noticed this with my new Toolforge vulnerability checker.