PatchSiren

mix-php CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM mix-php CVE published 2026-05-01

CVE-2026-42475

A SQL injection vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is caused by improper handling of the `on` array in the `joinOn` function of `BuildHelper.php`. This allows attackers to inject malicious SQL code, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. Users of MixPHP Framewo [truncated]

HIGH mix-php CVE published 2026-05-01

CVE-2026-37552

CVE-2026-37552 is an unsafe deserialization vulnerability in MixPHP Framework 2.x through 2.2.17. The sync-invoke TCP server receives data from a TCP socket, passes it directly to Opis Closure unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port can send a crafted serialized [truncated]