PatchSiren cyber security CVE debrief
CVE-2026-42475 mix-php CVE debrief
A SQL injection vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is caused by improper handling of the `on` array in the `joinOn` function of `BuildHelper.php`. This allows attackers to inject malicious SQL code, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. Users of MixPHP Framework versions 2.x through 2.2.17 should be aware of this vulnerability and take steps to mitigate it. This includes applying the latest security patches and ensuring that user input is properly sanitized.
- Vendor
- mix-php
- Product
- MixPHP Framework
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-01
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-05-01
- Advisory updated
- 2026-07-08
Who should care
Users of MixPHP Framework versions 2.x through 2.2.17 should be aware of this vulnerability and take steps to mitigate it. This includes applying the latest security patches and ensuring that user input is properly sanitized. Operators, platform administrators, vulnerability management teams, and security teams should review the CVE record and NVD entry for additional information on the vulnerability and take necessary actions to protect their systems.
Technical summary
The SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 is caused by the lack of proper input validation in the `joinOn` function of `BuildHelper.php`. An attacker can exploit this vulnerability by crafting a malicious `on` array, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVE record and NVD entry provide additional information on the vulnerability.
Defensive priority
Medium
Recommended defensive actions
- Apply the latest security patches for MixPHP Framework
- Ensure that user input is properly sanitized
- Use prepared statements to prevent SQL injection
- Monitor for suspicious database activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-05-01T16:16:31.930Z and was last modified on 2026-07-08T03:25:53.017Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. However, the source detail is limited, and defenders should verify the affected scope and severity with the official CVE record and NVD entry. The CVE-2026-42475 record indicates a SQL injection vulnerability in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is caused by improper handling of the `on` array in the `joinOn` function of `BuildHelper.php`.
Official resources
-
CVE-2026-42475 CVE record
CVE.org
-
CVE-2026-42475 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Product
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-01T16:16:31.930Z and has not been modified since then. The NVD entry is currently Analyzed.