CVE-2026-42471
published 2026-05-01CVE-2026-42471: Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from…
PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
1.76%
75.1th percentile
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests containing PHP serialized object strings (pattern: O:[0-9]+:"[A-Za-z]+":[0-9]+:{...}) in the 'data' parameter targeting MixPHP endpoints. ↗
- →Alert on creation of unexpected files under /tmp/ (e.g., /tmp/p) by PHP worker processes, which may indicate successful deserialization RCE via __destruct() gadget chain. ↗
- →Audit MixPHP sync-invoke client code at Connection.php line 76 for calls to unserialize() on server-supplied data; flag any MixPHP 2.x through 2.2.17 deployments as vulnerable. ↗
- →Detect exploitation attempts by monitoring for system() or exec() calls spawned from PHP processes handling deserialized input, particularly where the MixPHP framework is in use. ↗
- ·The exploit PoC uses a local loopback target (127.0.0.1:8000) for lab demonstration; in real-world attacks the target URL and port will differ. Do not rely solely on this IP/port for detection. ↗
- ·The vulnerability is client-side: exploitation requires the MixPHP sync-invoke client to connect to a malicious server. Threat model should include scenarios where internal MixPHP clients are redirected to attacker-controlled servers. ↗
- ·The gadget chain demonstrated relies on a reachable __destruct() magic method. Actual exploitability in production depends on available gadget chains within the deployed application's class hierarchy. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jc3r-732w-jg7c: Unsafe deserialization vulnerability in MixPHP Framework 2
ghsa_unreviewed·2026-05-01
CVE-2026-42471 [HIGH] CWE-502 GHSA-jc3r-732w-jg7c: Unsafe deserialization vulnerability in MixPHP Framework 2
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
VulDB
MixPHP Framework up to 2.2.17 Connection.php unserialize deserialization
vuldb·2026-05-01·CVSS 8.1
CVE-2026-42471 [HIGH] MixPHP Framework up to 2.2.17 Connection.php unserialize deserialization
A vulnerability was found in MixPHP Framework up to 2.2.17. It has been classified as critical. The affected element is the function unserialize of the file Connection.php. Performing a manipulation results in deserialization.
This vulnerability is cataloged as CVE-2026-42471. It is possible to initiate the attack remotely. There is no exploit available.
No detection rules found.
No writeups or analysis indexed.
2026-05-01
Published