CVE-2026-27206

Name of the Vulnerable Software and Affected Versions Zumba Json Serializer versions 3.2.2 and below

Description The Zumba Json Serializer library has an issue where it allows the deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer instantiates any class specified in the @type field without restriction. Processing untrusted JSON input with this behavior can allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into the JsonSerializer::unserialize() function and contains classes with dangerous magic methods, such as wakeup() or destruct(), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. Applications are impacted only if untrusted JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain exploitable classes.

Recommendations Versions prior to 3.2.3 should be upgraded to version 3.2.3 or later. If an immediate upgrade is not possible, ensure that JsonSerializer::unserialize() is never called on untrusted or attacker-controlled JSON. Validate and sanitize all JSON input before deserialization. Disable object instantiation via the @type field in application logic where possible. After upgrading to version 3.2.3, configure an appropriate class allowlist using the setAllowedClasses() method to restrict which classes may be instantiated during deserialization.