Description
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
Published: 2026-05-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MixPHP Framework contains an unsafe deserialization flaw in its sync-invoke client. The client calls PHP's unserialize() on data received from a server without validating or filtering the payload. An attacker who controls the server can send a crafted serialized object that, when deserialized on the client, triggers arbitrary code execution on the client machine. This can be achieved purely through normal client usage, as the vulnerability does not require any local privileges.

Affected Systems

Affected versions are all releases of MixPHP Framework 2.x that include the sync-invoke feature, up to and including version 2.2.17. No later versions are known to contain the flaw, and the vulnerability is not limited to a specific submodule; any component that invokes sync-invoke is impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a client initiating a request to a malicious server that returns a malicious payload. The flaw enables client-side code execution with the privileges of the client process, potentially allowing further compromise of the host if the client runs with elevated rights. No exploitation probability metrics are provided, but the high CVSS and lack of mitigation from the vendor imply a serious risk.

Generated by OpenCVE AI on May 2, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a MixPHP framework release that removes or protects the unsafe deserialization in sync-invoke.
  • If upgrade is not immediately possible, disable the sync-invoke feature by removing the SyncClient dependency or configuring the client to avoid the sync-invoke path.
  • Restrict outgoing client connections to known, trusted servers: enforce TLS certificate validation, maintain a whitelist of server addresses, and block outbound traffic to untrusted hosts via firewall rules.

Generated by OpenCVE AI on May 2, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:45:00 +0000

Type Values Removed Values Added
Title Client‑Side Remote Code Execution via Unsafe Deserialization in MixPHP Framework 2.x

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:23:59.344Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42471

cve-icon Vulnrichment

Updated: 2026-05-01T18:23:56.103Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:31.470

Modified: 2026-05-01T19:16:30.990

Link: CVE-2026-42471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses