CVE-2026-42471

Published May 1st, 2026

View on NVD ↗

CVSS v3

8.1

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

mix-php/mix

☄️ PHP CLI mode development framework, supports Swoole, WorkerMan, FPM, CLI-Server / PHP 命令行模式开发框架，支持 Swoole、Swow、WorkerMan、FPM、CLI-Server

GitHub

1.93K