Home / Vulnerability Intelligence / CVE-2026-42473

CVE-2026-42473 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 1, 2026

MixPHP Framework - Insecure Deserialization

Published: May 1, 2026Updated: May 1, 2026Remote Exploitable

Overview

MixPHP Framework 2.x thru 2.2.17 contains an insecure deserialization vulnerability caused by use of unserialize() on filesystem data in FileHandler session and cache handlers, letting attackers execute arbitrary code remotely, exploit requires crafted data in filesystem.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary code remotely by exploiting insecure deserialization in session and cache handlers.

Mitigation

Update to a version later than 2.2.17 or latest available version.

References

https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
https://github.com/mix-php/mix
https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42473
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: new

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H