CVE-2026-37552

Source
https://cve.org/CVERecord?id=CVE-2026-37552
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-37552.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-37552
Published
2026-05-01T00:00:00Z
Modified
2026-07-15T01:49:13.888562695Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N CVSS Calculator
Summary
[none]
Details

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via calluserfunc(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/37xxx/CVE-2026-37552.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/mix-php/mix

Affected ranges

Type
GIT
Repo
https://github.com/mix-php/mix
Events
Database specific
{
    "cpe": "cpe:2.3:a:openmix:mix_php:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "2.0.1"
        },
        {
            "last_affected": "2.2.17"
        }
    ]
}

Affected versions

v2.*
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.1.0
v2.1.0-RC
v2.1.0-RC2
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.15
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.9
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.4
v2.2.5
v2.2.7
v2.2.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-37552.json"