Skip to main content

MixPHP Framework CVE-2026-42472

| EUVDEUVD-2026-26673 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-01 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:22 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
9.8 (None) 9.8 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 16:00 euvd
EUVD-2026-26673
Analysis Generated
May 01, 2026 - 16:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.

AnalysisAI

Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.

Technical ContextAI

MixPHP is a PHP development framework that provides session and cache management through various handlers including Redis. The vulnerability exists in the RedisHandler implementation where session and cache data retrieved from Redis storage is passed directly to PHP's unserialize() function. This is a classic CWE-502 (Deserialization of Untrusted Data) vulnerability. PHP object deserialization is inherently dangerous when applied to attacker-controlled data because serialized PHP objects can trigger magic methods (__wakeup, __destruct, __toString) that execute code during the deserialization process. By crafting malicious serialized objects leveraging existing classes in the application or framework (gadget chains), an attacker can achieve arbitrary code execution. The affected code is visible in the GitHub repository at version 2.2.17 in the sync-invoke Server.php implementation, which handles Redis operations for distributed session/cache synchronization.

RemediationAI

Upgrade to MixPHP Framework version 3.x or later if available, as version 2.2.17 is the last confirmed vulnerable release in the 2.x series. No specific patched version within the 2.x branch is identified in available data - vendors should consult the official MixPHP GitHub repository at https://github.com/mix-php/mix for latest security updates. If immediate upgrade is not feasible, implement these compensating controls with noted limitations: (1) Restrict Redis network access to localhost only or specific application servers via firewall rules and Redis bind configuration - this prevents external attackers from injecting malicious data but does not protect against lateral movement attacks; (2) Enable Redis authentication using requirepass directive - adds barrier but authenticated attackers or credential theft still enables exploitation; (3) Implement input validation and integrity checks before deserialization by replacing unserialize() calls with JSON-based serialization or cryptographically signed serialization wrappers - requires code modification and testing for compatibility with existing session data; (4) Deploy Redis in isolated network segments with strict ACLs limiting write access to only the application server - reduces attack surface but increases operational complexity. All mitigations except code-level fixes treat symptoms rather than root cause.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-42472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy