CVE-2026-37552

Name of the Vulnerable Software and Affected Versions MixPHP Framework versions 2.x through 2.2.17

Description An unsafe deserialization issue exists in the sync-invoke TCP server. The server receives data from a TCP socket and passes it directly to the unserialize() function within the OpisClosure namespace, subsequently executing the result via call user func(). Because the TCP connection lacks authentication or signature verification, an attacker with access to the localhost TCP port (where the server binds to 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.