CVE-2026-37552: n/a
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.
AI Analysis
Technical Summary
The MixPHP Framework 2.x through 2.2.17 contains an unsafe deserialization vulnerability in its sync-invoke TCP server (Server.php at line 87). This server accepts data over a TCP socket bound to localhost and directly passes it to Opis\Closure\unserialize(), then executes the deserialized closure via call_user_func(). Because there is no authentication or signature verification on the TCP connection, an attacker with access to the localhost TCP port can send a malicious serialized PHP closure to achieve arbitrary code execution on the server.
Potential Impact
Successful exploitation allows an attacker with local TCP access to execute arbitrary code on the affected system. This can lead to complete system compromise, data loss, or further attacks within the environment. The vulnerability requires local access to the TCP port bound to 127.0.0.1, limiting remote exploitation but still posing a significant risk if an attacker can reach the localhost interface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the localhost TCP port used by the sync-invoke server to trusted users and processes only. Monitor for any unauthorized local access attempts. Do not expose the TCP service beyond localhost. Follow vendor updates closely for any forthcoming patches or official mitigations.
CVE-2026-37552: n/a
Description
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MixPHP Framework 2.x through 2.2.17 contains an unsafe deserialization vulnerability in its sync-invoke TCP server (Server.php at line 87). This server accepts data over a TCP socket bound to localhost and directly passes it to Opis\Closure\unserialize(), then executes the deserialized closure via call_user_func(). Because there is no authentication or signature verification on the TCP connection, an attacker with access to the localhost TCP port can send a malicious serialized PHP closure to achieve arbitrary code execution on the server.
Potential Impact
Successful exploitation allows an attacker with local TCP access to execute arbitrary code on the affected system. This can lead to complete system compromise, data loss, or further attacks within the environment. The vulnerability requires local access to the TCP port bound to 127.0.0.1, limiting remote exploitation but still posing a significant risk if an attacker can reach the localhost interface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the localhost TCP port used by the sync-invoke server to trusted users and processes only. Monitor for any unauthorized local access attempts. Do not expose the TCP service beyond localhost. Follow vendor updates closely for any forthcoming patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-06T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f4cbfccbff5d8610073127
Added to database: 5/1/2026, 3:51:24 PM
Last enriched: 5/1/2026, 4:06:20 PM
Last updated: 5/2/2026, 5:49:30 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.