CVE-2026-37552 - Vulnerability Details

- Unsafe Deserialization in MixPHP Framework 2.x Allows Arbitrary Code Execution via TCP

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.

Published: 2026-05-01

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from unsafe deserialization in the MixPHP Framework’s sync‑invoke TCP server. Data received from a socket is directly unserialized by Opis\Closure\unserialize() and then executed through call_user_func() with no authentication or integrity checking. Such a flaw permits an attacker to craft a serialized PHP closure that, when processed, executes arbitrary code on the host. The flaw confers full code execution privileges on the system where the server is running, representing a severe impact to confidentiality, integrity, and availability.

Affected Systems

MixPHP Framework versions 2.x through 2.2.17 are affected. The vulnerability exists in the Server.php component of the sync‑invoke module, which binds to the localhost TCP socket 127.0.0.1. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, but the flaw is listed as not in the CISA KEV catalog. An attacker with local access to the listening port can exploit the flaw; remote attackers would need to gain local access via other means. The absence of authentication means the server trusts any input from the port, making exploitation straightforward for local adversaries.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MixPHP Framework release 2.2.18 or newer, which removes the insecure deserialize call
If upgrading is not possible, restrict the TCP socket to no other local users by changing the server binding to bind only to the loopback interface and applying firewall rules to block all local traffic except from trusted processes
In the interim, disable or remove the sync‑invoke TCP server to eliminate the vulnerable code path
Consider implementing a proxy or a security boundary that validates input before passing it to the server, ensuring only trusted data is unserialized

Generated by OpenCVE AI on May 2, 2026 at 07:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00103.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
https://github.com/mix-php/mix
https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php

History

Sat, 02 May 2026 08:15:00 +0000

Type	Values Removed	Values Added
Title		Unsafe Deserialization in MixPHP Framework 2.x Allows Arbitrary Code Execution via TCP

Fri, 01 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-502
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 01 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.
References		https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 https://github.com/mix-php/mix https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T19:45:48.969Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37552

Vulnrichment

Updated: 2026-05-01T19:38:44.093Z

NVD

Status : Received

Published: 2026-05-01T16:16:30.917

Modified: 2026-05-01T20:16:23.680

Link: CVE-2026-37552

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object