PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42475 mix-php CVE debrief

A SQL injection vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is caused by improper handling of the `on` array in the `joinOn` function of `BuildHelper.php`. This allows attackers to inject malicious SQL code, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. Users of MixPHP Framework versions 2.x through 2.2.17 should be aware of this vulnerability and take steps to mitigate it. This includes applying the latest security patches and ensuring that user input is properly sanitized.

Vendor
mix-php
Product
MixPHP Framework
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-07-08
Advisory published
2026-05-01
Advisory updated
2026-07-08

Who should care

Users of MixPHP Framework versions 2.x through 2.2.17 should be aware of this vulnerability and take steps to mitigate it. This includes applying the latest security patches and ensuring that user input is properly sanitized. Operators, platform administrators, vulnerability management teams, and security teams should review the CVE record and NVD entry for additional information on the vulnerability and take necessary actions to protect their systems.

Technical summary

The SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 is caused by the lack of proper input validation in the `joinOn` function of `BuildHelper.php`. An attacker can exploit this vulnerability by crafting a malicious `on` array, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVE record and NVD entry provide additional information on the vulnerability.

Defensive priority

Medium

Recommended defensive actions

  • Apply the latest security patches for MixPHP Framework
  • Ensure that user input is properly sanitized
  • Use prepared statements to prevent SQL injection
  • Monitor for suspicious database activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-05-01T16:16:31.930Z and was last modified on 2026-07-08T03:25:53.017Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. However, the source detail is limited, and defenders should verify the affected scope and severity with the official CVE record and NVD entry. The CVE-2026-42475 record indicates a SQL injection vulnerability in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is caused by improper handling of the `on` array in the `joinOn` function of `BuildHelper.php`.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-01T16:16:31.930Z and has not been modified since then. The NVD entry is currently Analyzed.