PatchSiren cyber security CVE debrief
CVE-2026-37552 mix-php CVE debrief
CVE-2026-37552 is an unsafe deserialization vulnerability in MixPHP Framework 2.x through 2.2.17. The sync-invoke TCP server receives data from a TCP socket, passes it directly to Opis Closure unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port can send a crafted serialized PHP closure to achieve arbitrary code execution.
- Vendor
- mix-php
- Product
- MixPHP Framework
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-01
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-05-01
- Advisory updated
- 2026-07-08
Who should care
Users of MixPHP Framework 2.x through 2.2.17, especially those with exposed TCP ports, should prioritize patching this vulnerability to prevent potential code execution. This is crucial for operators managing affected deployments, as it can help prevent unauthorized access and potential code execution. Platform administrators and security teams should also be aware of this vulnerability and take necessary actions to mitigate its impact. Additionally, reviewing and updating security protocols for TCP connections and ensuring that only necessary services have access to the TCP port can help reduce the risk of exploitation.
Technical summary
The vulnerability exists in the sync-invoke TCP server (Server.php:87) of MixPHP Framework. The server receives data from a TCP socket, passes it directly to Opis Closure unserialize(), and then executes the result via call_user_func(). This process lacks authentication or signature verification, allowing an attacker with access to the localhost TCP port (server binds 127.0.0.1) to send a crafted serialized PHP closure and achieve arbitrary code execution.
Defensive priority
High
Recommended defensive actions
- Apply the latest patch (version 2.2.18 or later) to the MixPHP Framework.
- Restrict access to the TCP port to only necessary services.
- Implement additional authentication or signature verification for the TCP connection.
- Monitor for suspicious activity on the TCP port.
- Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
Evidence notes
The CVE record was published on 2026-05-01T16:16:30.917Z and was last modified on 2026-07-08T03:26:23.180Z. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 8.4 and is classified as HIGH severity.
Official resources
-
CVE-2026-37552 CVE record
CVE.org
-
CVE-2026-37552 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Product
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-01T16:16:30.917Z and has not been modified since then. The NVD entry is currently Analyzed.