Skip to main content

MixPHP Framework EUVDEUVD-2026-26670

| CVE-2026-37552 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-01 mitre
8.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 16:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 16:00 euvd
EUVD-2026-26670
Analysis Generated
May 01, 2026 - 16:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 8.4

DescriptionCVE.org

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.

AnalysisAI

Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.

Technical ContextAI

MixPHP Framework's sync-invoke component implements a TCP server for inter-process communication using PHP object serialization. The vulnerability exists at Server.php line 87, where the server accepts TCP connections on localhost (127.0.0.1) and deserializes incoming data using Opis\Closure\unserialize(), a library that extends PHP's native unserialization to support closures and anonymous functions. The deserialized closure is then immediately executed via call_user_func() without any validation. This represents a classic unsafe deserialization vulnerability (typically CWE-502), where untrusted data controls object instantiation and code execution. PHP deserialization attacks are well-understood and frequently leverage magic methods (__wakeup, __destruct, __toString) or in this case, direct closure execution to achieve remote code execution. The localhost binding provides some network-level protection but does not prevent exploitation by local users, compromised applications on the same host, or SSRF vectors.

RemediationAI

No vendor-released patch identified at time of analysis for MixPHP 2.2.17 or newer 2.x versions. The framework repository at https://github.com/mix-php/mix should be monitored for security advisories and patched releases addressing this deserialization flaw. Immediate compensating controls include: Disable the sync-invoke TCP server component entirely if not operationally required for inter-process communication (assess impact on application functionality first). Implement network-level access controls using firewall rules or iptables to restrict connections to the sync-invoke port only from explicitly trusted local processes or users, though this requires precise process-to-port mapping and may break legitimate IPC. Deploy application-level authentication by modifying Server.php to validate HMAC signatures or pre-shared tokens on incoming messages before deserialization (requires code changes and coordination with client components). Containerize MixPHP applications with strict network policies that prevent localhost port access from untrusted containers or host processes (note: shared network namespaces defeat this control). Monitor for migration paths to MixPHP 3.x or alternative frameworks, as the 2.x branch may be approaching end-of-life. Each mitigation has trade-offs: disabling sync-invoke may break functionality, authentication requires code maintenance, and network isolation adds operational complexity. Review the proof-of-concept at https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 to understand the exact attack mechanism and validate effectiveness of mitigations in your environment.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-26670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy