PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37552 mix-php CVE debrief

CVE-2026-37552 is an unsafe deserialization vulnerability in MixPHP Framework 2.x through 2.2.17. The sync-invoke TCP server receives data from a TCP socket, passes it directly to Opis Closure unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port can send a crafted serialized PHP closure to achieve arbitrary code execution.

Vendor
mix-php
Product
MixPHP Framework
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-07-08
Advisory published
2026-05-01
Advisory updated
2026-07-08

Who should care

Users of MixPHP Framework 2.x through 2.2.17, especially those with exposed TCP ports, should prioritize patching this vulnerability to prevent potential code execution. This is crucial for operators managing affected deployments, as it can help prevent unauthorized access and potential code execution. Platform administrators and security teams should also be aware of this vulnerability and take necessary actions to mitigate its impact. Additionally, reviewing and updating security protocols for TCP connections and ensuring that only necessary services have access to the TCP port can help reduce the risk of exploitation.

Technical summary

The vulnerability exists in the sync-invoke TCP server (Server.php:87) of MixPHP Framework. The server receives data from a TCP socket, passes it directly to Opis Closure unserialize(), and then executes the result via call_user_func(). This process lacks authentication or signature verification, allowing an attacker with access to the localhost TCP port (server binds 127.0.0.1) to send a crafted serialized PHP closure and achieve arbitrary code execution.

Defensive priority

High

Recommended defensive actions

  • Apply the latest patch (version 2.2.18 or later) to the MixPHP Framework.
  • Restrict access to the TCP port to only necessary services.
  • Implement additional authentication or signature verification for the TCP connection.
  • Monitor for suspicious activity on the TCP port.
  • Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.

Evidence notes

The CVE record was published on 2026-05-01T16:16:30.917Z and was last modified on 2026-07-08T03:26:23.180Z. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 8.4 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-01T16:16:30.917Z and has not been modified since then. The NVD entry is currently Analyzed.