Skip to content

Instantly share code, notes, and snippets.

@sgInnora

sgInnora/advisory_mixphp_v2.md

Created April 30, 2026 08:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sgInnora/fa46386840fe978a30d7e53c458f2975 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sgInnora/fa46386840fe978a30d7e53c458f2975 to your computer and use it in GitHub Desktop.
Download ZIP
MixPHP 2.x Deserialization RCE and SQL Injection (CVE-2026-37552, CVE-2026-42471 through 42475)
Raw
advisory_mixphp_v2.md

MixPHP Framework 2.x ≤ 2.2.17 — Deserialization RCE and SQL Injection

Vendor: MixPHP (github.com/mix-php/mix)
Affected: 2.x ≤ 2.2.17
Reporter: Feng Ning, Innora Security Research (feng@innora.ai)
Disclosure: 2026-04-30

CVE Type CWE CVSS
CVE-2026-37552 Deserialization RCE — sync-invoke TCP server CWE-502 9.8
CVE-2026-42471 Deserialization RCE — sync-invoke client CWE-502 9.8
CVE-2026-42472 Deserialization RCE — session handler CWE-502 8.1
CVE-2026-42473 Deserialization RCE — cache handler CWE-502 8.1
CVE-2026-42474 SQL Injection — data() function CWE-89 8.8
CVE-2026-42475 SQL Injection — joinOn() function CWE-89 8.8

Deserialization Vulnerabilities (CVE-2026-37552, 42471, 42472, 42473)

Four distinct trust boundaries in MixPHP pass attacker-controlled data directly to PHP's native unserialize(). No allowlist. No integrity check. All four are independently exploitable via a PHP POP chain.

CVE-2026-37552 — sync-invoke TCP server: the server deserializes objects received from remote clients with no authentication gate. Network-accessible, pre-auth, CVSS 9.8.

CVE-2026-42471 — sync-invoke client: server responses are deserialized on the client side. If an attacker can sit between client and server — or compromise the server — this becomes a lateral movement path.

CVE-2026-42472 / CVE-2026-42473 — session and cache handlers: both read from Redis or Memcached and call unserialize() without verifying data integrity first. Compromise the backing store, or inject into it through a separate weakness, and you get RCE on the app server.

// Vulnerable pattern
$data = unserialize($input);  // no validation, no allowlist

Fix: pass an allowlist as the second argument — unserialize($input, ['allowed_classes' => false]) — or replace with JSON serialization wherever object types aren't required.

SQL Injection (CVE-2026-42474, CVE-2026-42475)

The query builder concatenates user-supplied array contents directly into SQL. Neither the keys nor the values go through parameterization.

CVE-2026-42474 — data() function: array keys and values land verbatim inside INSERT/UPDATE statements. An attacker controlling the input array can break out of the intended query structure.

CVE-2026-42475 — joinOn() function: table and column names from the on array are concatenated straight into JOIN clauses. Identifier injection here is not mitigated by prepared statements alone — schema metadata validation is also required.

Fix: migrate to PDO prepared statements; for identifiers (table/column names), validate against an explicit allowlist derived from schema metadata before interpolation.

Innora Security Research — https://innora.ai

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment