Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.

This data is modified in such a way to force the TCPDF library to call the PHP server's "phar://" stream wrapper, and later abuse the PHP deserialization process to run code on the underlying server.

One of PHP's strengths is the ability to easily inject variables, values and attributes into HTML code to create dynamic Web pages.