CVE-2026-42471

Name of the Vulnerable Software and Affected Versions MixPHP Framework versions 2.x through 2.2.17

Description An unsafe deserialization issue exists in the sync-invoke client within the Connection.php file at line 76. The client uses the unserialize() function on data received from server responses, which can lead to client-side remote code execution (RCE) if the client connects to a malicious server. Unsafe deserialization occurs when untrusted data is used to instill an object, allowing an attacker to manipulate the object's state to execute arbitrary code.

Recommendations Update MixPHP Framework to a version later than 2.2.17.