Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.
AnalysisAI
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Technical ContextAI
MixPHP is a PHP development framework that provides session and cache management through various handlers including Redis. The vulnerability exists in the RedisHandler implementation where session and cache data retrieved from Redis storage is passed directly to PHP's unserialize() function. This is a classic CWE-502 (Deserialization of Untrusted Data) vulnerability. PHP object deserialization is inherently dangerous when applied to attacker-controlled data because serialized PHP objects can trigger magic methods (__wakeup, __destruct, __toString) that execute code during the deserialization process. By crafting malicious serialized objects leveraging existing classes in the application or framework (gadget chains), an attacker can achieve arbitrary code execution. The affected code is visible in the GitHub repository at version 2.2.17 in the sync-invoke Server.php implementation, which handles Redis operations for distributed session/cache synchronization.
RemediationAI
Upgrade to MixPHP Framework version 3.x or later if available, as version 2.2.17 is the last confirmed vulnerable release in the 2.x series. No specific patched version within the 2.x branch is identified in available data - vendors should consult the official MixPHP GitHub repository at https://github.com/mix-php/mix for latest security updates. If immediate upgrade is not feasible, implement these compensating controls with noted limitations: (1) Restrict Redis network access to localhost only or specific application servers via firewall rules and Redis bind configuration - this prevents external attackers from injecting malicious data but does not protect against lateral movement attacks; (2) Enable Redis authentication using requirepass directive - adds barrier but authenticated attackers or credential theft still enables exploitation; (3) Implement input validation and integrity checks before deserialization by replacing unserialize() calls with JSON-based serialization or cryptographically signed serialization wrappers - requires code modification and testing for compatibility with existing session data; (4) Deploy Redis in isolated network segments with strict ACLs limiting write access to only the application server - reduces attack surface but increases operational complexity. All mitigations except code-level fixes treat symptoms rather than root cause.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26673