Skip to main content

MixPHP Framework CVE-2026-42473

| EUVDEUVD-2026-26674 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-01 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:22 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
9.8 (None) 9.8 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 16:00 euvd
EUVD-2026-26674
Analysis Generated
May 01, 2026 - 16:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.

AnalysisAI

Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).

Technical ContextAI

PHP's unserialize() function is a notorious attack surface because it can instantiate arbitrary objects from serialized data, triggering magic methods (__wakeup, __destruct, __toString) that execute attacker-controlled code if the application includes exploitable classes (gadget chains). MixPHP Framework 2.x implements session and cache persistence through a FileHandler class that reads serialized data from the filesystem and passes it directly to unserialize() without integrity checks or signature validation. This is a textbook CWE-502 (Deserialization of Untrusted Data) vulnerability. The affected component is identifiable in the GitHub repository at src/sync-invoke/src/Server.php in version 2.2.17. The CPE string is generic (cpe:2.3:a:n/a:n/a), indicating incomplete vendor metadata in NVD, but the GitHub references confirm the mix-php/mix repository as the authoritative source. All MixPHP Framework 2.x versions through 2.2.17 contain vulnerable FileHandler deserialization code.

RemediationAI

Upgrade to MixPHP Framework version 3.x or later if available, as the 2.x branch appears unmaintained based on the vulnerability scope (no patch version beyond 2.2.17 referenced). Consult the official MixPHP GitHub repository (https://github.com/mix-php/mix) for migration guidance or security patches. If immediate upgrade is not feasible, implement these compensating controls: (1) Replace file-based session/cache handlers with alternative backends that do not use unserialize() (Redis, Memcached with igbinary serialization, or database-backed sessions with parameterized queries). This eliminates the vulnerable code path but requires application reconfiguration and may impact session persistence across deployments. (2) Restrict filesystem permissions on session/cache directories to prevent attacker write access (chmod 700, chown to web server user only). This mitigates exploitation if attackers need to plant malicious serialized files, but does not protect against race conditions or user-uploaded content processed as cache. (3) Deploy PHP in environments without exploitable gadget chains by auditing and removing unnecessary libraries, though this is impractical for most real-world applications. (4) Implement Web Application Firewall (WAF) rules to detect PHP object injection patterns in HTTP requests, though this is easily bypassed with encoding. No vendor advisory link available; monitor https://github.com/mix-php/mix/security/advisories for official guidance.

Share

CVE-2026-42473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy