CVE-2026-37552: MixPHP Framework Unsafe Deserialization Exposes Servers to RCE
The National Vulnerability Database has detailed CVE-2026-37552, a high-severity unsafe deserialization vulnerability impacting MixPHP Framework versions 2.x through 2.2.17. This flaw resides in the sync-invoke TCP server (Server.php:87), which directly passes data from a localhost TCP socket to Opis\Closure\unserialize() and then executes the result via call_user_func(). There is no authentication or signature verification, allowing a local attacker to achieve arbitrary code execution.
This isn’t a remote RCE in the typical sense; the server binds to 127.0.0.1. However, local privilege escalation or chaining with another vulnerability that grants localhost access is a clear path to exploitation. The ability to execute arbitrary PHP closures means full system compromise is on the table once an attacker has that initial foothold. A CVSS score of 8.4 (HIGH) reflects this critical impact, with high confidentiality, integrity, and availability impacts.
Defenders need to understand the chaining potential here. While not directly internet-facing, any compromise of a web server or application running MixPHP Framework could quickly lead to full host takeover via this vulnerability. It’s a critical component in a multi-stage attack and should not be dismissed due to its local access requirement.
What This Means For You
- If your organization utilizes the MixPHP Framework, specifically versions 2.x through 2.2.17, you are exposed to local arbitrary code execution via CVE-2026-37552. Patching is paramount. Immediately identify all instances of MixPHP Framework within your environment and apply available updates. Even if directly exposed only to localhost, assume an attacker will find a way to pivot to this vulnerability. Prioritize this patch now.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-37552 | Deserialization | MixPHP Framework 2.x thru 2.2.17 |
| CVE-2026-37552 | RCE | MixPHP Framework sync-invoke TCP server (Server.php:87) using Opis\Closure\unserialize() and call_user_func() |
| CVE-2026-37552 | Auth Bypass | No authentication or signature verification on TCP connection for MixPHP Framework sync-invoke TCP server |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7587 — Open5GS Denial of Service
CVE-2026-7587 — A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component...
OVMS3 CVE-2026-37541: Critical Buffer Overflow Exposes EV Systems
CVE-2026-37541 — Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly...
CVE-2026-37540: OpenAMP ELF Loader Integer Overflow Exposes Embedded Systems
CVE-2026-37540 — OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values...