CVE-2026-27206

CVE-2026-27206 affects the Zumba Json Serializer library, a PHP tool for serializing variables into JSON format, specifically in versions 3.2.2 and below. The vulnerability stems from the library's deserializer, which uses a special @type field in JSON input to instantiate arbitrary PHP classes without any restrictions. This enables PHP Object Injection when processing untrusted JSON via the JsonSerializer::unserialize() method, particularly if the application or its dependencies include classes with dangerous magic methods like __wakeup() or __destruct() that can be chained into exploits. The issue mirrors risks in PHP's native unserialize() function without allowed_classes restrictions and carries a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-502 (Deserialization of Untrusted Data).

Remote attackers can exploit this vulnerability by supplying malicious JSON input to applications that invoke JsonSerializer::unserialize() on untrusted data, such as from user submissions or external APIs. No privileges or user interaction are required, though exploitation demands some complexity, like crafting a valid gadget chain from available classes. Successful attacks can result in high-impact confidentiality, integrity, and availability violations, potentially escalating to remote code execution (RCE) depending on the application's codebase and dependencies.

The vulnerability was fixed in version 3.2.3 of the library, as detailed in the GitHub security advisory (GHSA-v7m3-fpcr-h7m2), release notes, and the patching commit. Advisories recommend immediate upgrades where possible and interim mitigations including avoiding deserialization of untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input prior to processing, and disabling @type-based object instantiation. Applications are only impacted if they process attacker-controlled JSON in this manner.