Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process. An attacker can execute arbitrary code by sending a crafted serialized PHP closure to the TCP server, which is then deserialized and executed without authentication or...

EUVD-2026-26670

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server Server.php:87 receives data from a TCP socket, passes it directly to Opis\Closure\unserialize, then executes the result via calluserfunc. No authentication or signature verification exists on the...

CVE-2026-37552

CVE-2026-37552 . Affected: MixPHP Framework 2.x up to 2.2.17. Root cause: unsafe deserialization using Opis\Closure\unserialize() on data received by the sync-invoke TCP server, then executed via call_user_func(). No authentication/signature on the localhost TCP port (127.0.0.1). Impact: arbitrar...

CVE-2026-23498

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map... override. This vulnerability is fixed in 6.7.6.1...

CVE-2026-23498 Shopware Improper Control of Generation of Code in Twig rendered views

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map... override. This vulnerability is fixed in 6.7.6.1...

CVE-2026-23498 Shopware Improper Control of Generation of Code in Twig rendered views

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map... override. This vulnerability is fixed in 6.7.6.1...

CVE-2026-23498

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map... override. This vulnerability is fixed in 6.7.6.1...

PT-2026-2949

Name of the Vulnerable Software and Affected Versions Shopware versions 6.7.0.0 through 6.7.6.0 Description A regression of a previously addressed issue allows the execution of unchecked PHP Closures within the map override function. This occurs due to insufficient validation of allowed functions...