Home / Vulnerability Intelligence / CVE-2026-42472

CVE-2026-42472 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 1, 2026

MixPHP Framework - Insecure Deserialization

Published: May 1, 2026Updated: May 1, 2026Remote Exploitable

Overview

MixPHP Framework 2.x thru 2.2.17 contains an insecure deserialization caused by use of unserialize() on data from Redis in RedisHandler, letting attackers execute arbitrary code remotely, exploit requires attacker to control Redis data.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary code remotely by exploiting unsafe deserialization in RedisHandler.

Mitigation

Update to the latest version beyond 2.2.17 or apply patches that avoid unsafe unserialize usage.

References

https://github.com/mix-php/mix
https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php
https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42472
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: new

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H