What is the CVSS score of CVE-2026-37552?

CVE-2026-37552 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of MixPHP Framework are affected by CVE-2026-37552?

MixPHP Framework versions 2.0 through 2.2.17 contain an arbitrary code execution vulnerability in the sync-invoke server that allows local attackers to execute malicious PHP code via unauthenticated…

How to fix or mitigate CVE-2026-37552?

Within 24 hours: Identify all systems running MixPHP Framework 2.x versions and document their network exposure. Restrict network access to port 127.0.0.1 sync-invoke server to only trusted internal services. Within 7 days: Implement network segmentation to isolate MixPHP instances and monitor for suspicious TCP connections to affected ports. Contact MixPHP development team for patch timeline and evaluate upgrading to version 2.2.18 or later once available. Within 30 days: Deploy upgraded MixPHP Framework version and perform application security testing to verify remediation.

MixPHP Framework CVE-2026-37552

EUVD-2026-26670 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-05-01 mitre

PHP RCE Deserialization

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 16:30 vuln.today

EUVD ID Assigned

May 01, 2026 - 16:00 euvd

EUVD-2026-26670

Analysis Generated

May 01, 2026 - 16:00 vuln.today

CVE Published

May 01, 2026 - 00:00 nvd

HIGH 8.4

DescriptionNVD

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.

AnalysisAI

Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. …

RemediationAI

Within 24 hours: Identify all systems running MixPHP Framework 2.x versions and document their network exposure. Restrict network access to port 127.0.0.1 sync-invoke server to only trusted internal services. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-37552 vulnerability details – vuln.today

Back

MixPHP Framework CVE-2026-37552

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code