Severe, but you also need to use quite specific configuration to be vulnerable. I can imagine this pattern to be widespread in some classical PHP applications deployed via nginx.