PHPEMS is a PHP online mock exam system. PHPEMS suffers from a deserialization vulnerability that stems from unsafe deserialization processing of lib/session.cls.php when receiving serialized data submitted by a user, which can be exploited by an attacker to cause code execution.