Unknown · Zumba/Json-Serializer · CVE-2026-27206
**Name of the Vulnerable Software and Affected Versions**
Zumba Json Serializer versions 3.2.2 and below
**Description**
The Zumba Json Serializer library has an issue where it allows the deserialization of PHP objects from JSON using a special `@type` field. Prior to version 3.2.3, the deserializer instantiates any class specified in the `@type` field without restriction. Processing untrusted JSON input with this behavior can allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into the `JsonSerializer::unserialize()` function and contains classes with dangerous magic methods, such as ` wakeup()` or ` destruct()`, this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. Applications are impacted only if untrusted JSON is passed into `JsonSerializer::unserialize()` and the application or its dependencies contain exploitable classes.
**Recommendations**
Versions prior to 3.2.3 should be upgraded to version 3.2.3 or later.
If an immediate upgrade is not possible, ensure that `JsonSerializer::unserialize()` is never called on untrusted or attacker-controlled JSON.
Validate and sanitize all JSON input before deserialization.
Disable object instantiation via the `@type` field in application logic where possible.
After upgrading to version 3.2.3, configure an appropriate class allowlist using the `setAllowedClasses()` method to restrict which classes may be instantiated during deserialization.