Description
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsafe deserialization vulnerability exists in the MixPHP Framework 2.x through 2.2.17. The session and cache handlers invoke the PHP unserialize function on data retrieved from Redis in the RedisHandler object. This flaw can allow an attacker to supply crafted serialized payloads stored in Redis, leading to arbitrary code execution on the server where the framework runs.

Affected Systems

The MixPHP Framework version 2.0 up to 2.2.17 is affected. No other vendors or products are identified.

Risk and Exploitability

Based on the description, it is inferred that the attack vector involves influencing the contents stored in Redis, such as by compromising the Redis instance or by injecting malicious payloads through the application. The scenario requires an attacker to supply crafted serialized payloads that will be deserialized by the framework. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Unsafe deserialization is a high‑severity weakness that can lead to full control of the application; it is inferred that if an attacker can inject malicious payloads into Redis, remote code execution could be achieved with no additional user interaction. The CVSS score of 9.8 emphasizes its critical nature.

Generated by OpenCVE AI on May 2, 2026 at 10:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MixPHP Framework to a version newer than 2.2.17 once available.
  • Restrict or disable the use of unserialize on data sourced from Redis, ensuring only trusted and internally generated data is deserialized.
  • If upgrading immediately is not possible, replace unserialize with a safer serialization format such as JSON or implement strict validation and whitelisting for deserialized objects.

Generated by OpenCVE AI on May 2, 2026 at 10:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Serialization Vulnerability in MixPHP Framework Causing Potential Remote Code Execution

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:23:07.926Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42472

cve-icon Vulnrichment

Updated: 2026-05-01T18:23:04.085Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:31.587

Modified: 2026-05-01T19:16:31.153

Link: CVE-2026-42472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:00:06Z

Weaknesses