Description
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is unsafe deserialization using the built‑in unserialize function on data read from the server’s filesystem. Because session and cache handlers call unserialize on files stored in the FileHandler object, an attacker who can create or modify those files could inject a serialized PHP object that triggers code execution during unserialization. This flaw can lead to arbitrary code execution on the server if the application accepts arbitrary payloads that are written to disk.

Affected Systems

The flaw affects all releases of MixPHP Framework from version 2.0 up through 2.2.17. Applications built with any of these versions that use the default session or cache modules are vulnerable. No vendor identification is available, but the framework is maintained on GitHub and the vulnerability is known in the public code base.

Risk and Exploitability

The CVE has a CVSS score of 9.8, indicating a severe risk. The EPSS score is not available and the vulnerability is not listed in CISA KEV. Despite limited exploitation data, the nature of deserialization flaws and the ability to inject malicious objects into files stored by the FileHandler mean that an attacker who can create or modify those files could trigger arbitrary code execution on the server. The risk is high for exposed web sites or services that allow writable files to the session/cache directory.

Generated by OpenCVE AI on May 2, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MixPHP Framework to version 2.2.18 or later.
  • If upgrading is not feasible, stop using the default FileHandler-based session and cache modules or replace unserialize calls with safer deserialization options.
  • Ensure that the directories used for session and cache storage are not writable by external users or those who could upload files, restricting file permissions to only required service accounts.

Generated by OpenCVE AI on May 2, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization Resulting in Remote Code Execution in MixPHP Framework

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:22:27.023Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42473

cve-icon Vulnrichment

Updated: 2026-05-01T18:22:17.880Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:31.703

Modified: 2026-05-01T19:16:31.300

Link: CVE-2026-42473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses