cbcvebase.
CVE-2026-42471
published 2026-05-01

CVE-2026-42471: Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from…

PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
1.76%
75.1th percentile
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Detection & IOCsextracted from sources · hover to see the quote

pathConnection.php:76
commandO:1:"A":1:{s:1:"c";s:9:"id>/tmp/p";}
  • Monitor POST requests containing PHP serialized object strings (pattern: O:[0-9]+:"[A-Za-z]+":[0-9]+:{...}) in the 'data' parameter targeting MixPHP endpoints.
  • Alert on creation of unexpected files under /tmp/ (e.g., /tmp/p) by PHP worker processes, which may indicate successful deserialization RCE via __destruct() gadget chain.
  • Audit MixPHP sync-invoke client code at Connection.php line 76 for calls to unserialize() on server-supplied data; flag any MixPHP 2.x through 2.2.17 deployments as vulnerable.
  • Detect exploitation attempts by monitoring for system() or exec() calls spawned from PHP processes handling deserialized input, particularly where the MixPHP framework is in use.
  • ·The exploit PoC uses a local loopback target (127.0.0.1:8000) for lab demonstration; in real-world attacks the target URL and port will differ. Do not rely solely on this IP/port for detection.
  • ·The vulnerability is client-side: exploitation requires the MixPHP sync-invoke client to connect to a malicious server. Threat model should include scenarios where internal MixPHP clients are redirected to attacker-controlled servers.
  • ·The gadget chain demonstrated relies on a reachable __destruct() magic method. Actual exploitability in production depends on available gadget chains within the deployed application's class hierarchy.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.