CVE-2026-42471
Published: 01 May 2026
Summary
CVE-2026-42471 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an unsafe deserialization flaw (CWE-502) in the MixPHP Framework versions 2.x through 2.2.17. It resides in the sync-invoke client component, where Connection.php:76 invokes unserialize() directly on data returned from a server response, allowing arbitrary object instantiation when that data originates from an untrusted source.
An attacker operating a malicious server can trigger client-side remote code execution when a vulnerable MixPHP client connects to it. The attack requires no privileges or user interaction on the client and carries a CVSS 3.1 score of 8.1, reflecting high impact on confidentiality, integrity, and availability despite the high attack complexity.
Public references point to the MixPHP GitHub repository and a detailed gist describing the issue in the sync-invoke Server.php and client code, but no official patch or mitigation guidance is supplied in the available references. The associated EPSS score remains flat at 0.0231 with no observed rise.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26672
Vulnerability details
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unsafe deserialization in the MixPHP sync-invoke client directly enables remote code execution when connecting to a malicious server, mapping to Exploitation for Client Execution (T1203) as the primary technique for achieving arbitrary code execution on the client.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation of the unsafe unserialize() call in MixPHP sync-invoke client directly eliminates the deserialization vulnerability enabling client-side RCE.
Validates and error-handles untrusted server response data before deserialization to block malicious payloads that lead to RCE.
Restricts outbound connections from the MixPHP client to only trusted servers, preventing exposure to malicious responses exploiting the deserialization flaw.