CVE-2026-42471

HIGH

MixPHP Framework 2.x-2.2.17 - Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42471. PoCs published by cardosource.

AI-analyzed exploit summary This exploit demonstrates a PHP deserialization vulnerability in MixPHP Framework 2.2.17, allowing remote code execution via a crafted payload targeting the __destruct() magic method. The PoC sends a serialized object to trigger command execution (e.g., 'id>/tmp/p').

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Exploits (1)

exploitdb WORKING POC
by cardosource · pythonwebappsphp
https://www.exploit-db.com/exploits/52590

This exploit demonstrates a PHP deserialization vulnerability in MixPHP Framework 2.2.17, allowing remote code execution via a crafted payload targeting the __destruct() magic method. The PoC sends a serialized object to trigger command execution (e.g., 'id>/tmp/p').

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MixPHP Framework 2.x through 2.2.17
No auth needed
Prerequisites: PHP application with unserialize() on user-controlled input · MixPHP Framework 2.x through 2.2.17
devstral-2 · analyzed May 30, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0125
EPSS Percentile 65.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Published May 01, 2026
Tracked Since May 01, 2026