CVE-2026-42471HIGH 8.1EPSS p65.5%

CVE-2026-42471CVE-2026-42471

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.25% probability of exploitation · percentile 65.5% · 2026-06-19T12:03:05Z
Published2026-05-01
Last modified2026-05-05

Underlying weaknesses· 1

CWE-502

References

  1. https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
  2. https://github.com/mix-php/mix
  3. https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42472
CVE
CVE-2026-42473
CVE
CVE-2026-37552
CVE
CVE-2025-60245
CVE
CVE-2025-24601
CVE
Sitecore XP Remote Command Execution Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.