Cyber Resilience

CVE-2026-42471

HighRCE

Published: 01 May 2026

Published
01 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0176 75.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42471 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an unsafe deserialization flaw (CWE-502) in the MixPHP Framework versions 2.x through 2.2.17. It resides in the sync-invoke client component, where Connection.php:76 invokes unserialize() directly on data returned from a server response, allowing arbitrary object instantiation when that data originates from an untrusted source.

An attacker operating a malicious server can trigger client-side remote code execution when a vulnerable MixPHP client connects to it. The attack requires no privileges or user interaction on the client and carries a CVSS 3.1 score of 8.1, reflecting high impact on confidentiality, integrity, and availability despite the high attack complexity.

Public references point to the MixPHP GitHub repository and a detailed gist describing the issue in the sync-invoke Server.php and client code, but no official patch or mitigation guidance is supplied in the available references. The associated EPSS score remains flat at 0.0231 with no observed rise.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The unsafe deserialization in the MixPHP sync-invoke client directly enables remote code execution when connecting to a malicious server, mapping to Exploitation for Client Execution (T1203) as the primary technique for achieving arbitrary code execution on the client.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-33210Shared CWE-502
CVE-2025-60035Shared CWE-502
CVE-2026-24765Shared CWE-502
CVE-2025-54539Shared CWE-502
CVE-2026-48207Shared CWE-502
CVE-2025-33214Shared CWE-502
CVE-2025-33252Shared CWE-502
CVE-2025-60036Shared CWE-502
CVE-2026-25925Shared CWE-502
CVE-2026-24216Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the unsafe unserialize() call in MixPHP sync-invoke client directly eliminates the deserialization vulnerability enabling client-side RCE.

prevent

Validates and error-handles untrusted server response data before deserialization to block malicious payloads that lead to RCE.

prevent

Restricts outbound connections from the MixPHP client to only trusted servers, preventing exposure to malicious responses exploiting the deserialization flaw.

References