This is bad. Looks like there is a execute arbitrary code remotely vulnerability in nginx and php-fpm when fastcgi_split_path_info is used.
That’s a very common setup.
https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html has all the gore (CVE-2019-11043).Also on (https://beko.famkos.net/t/4Ys)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!