{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27206", "tracking": { "current_release_date": "2026-04-02T02:22:07.102815Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27206", "initial_release_date": "2026-02-19T22:39:42.195124Z", "revision_history": [ { "date": "2026-02-19T22:39:42.195124Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-02-19T22:39:45.297206Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-20T00:30:48.565505Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (15).| Product Identifiers created (14).| References created (3).| CWES updated (1)." }, { "date": "2026-02-20T00:30:51.728039Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-20T00:44:13.287982Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Products created (1)." }, { "date": "2026-02-20T00:44:19.762989Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-02-21T07:24:37.447636Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-02-21T07:24:48.016109Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-02-21T07:38:27.159287Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-02-21T07:38:37.085981Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-02-21T14:14:42.509098Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-22T00:21:12.666913Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (14).| References created (5).| CWES updated (1)." }, { "date": "2026-02-22T06:43:31.408248Z", "number": "13", "summary": "Description created for source." }, { "date": "2026-02-23T22:39:45.107012Z", "number": "14", "summary": "References created (1)." }, { "date": "2026-02-23T22:39:49.507442Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-02-24T00:31:11.010814Z", "number": "16", "summary": "References created (1)." }, { "date": "2026-02-24T02:28:39.312383Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-02-24T19:52:16.236765Z", "number": "18", "summary": "Unknown change." }, { "date": "2026-03-20T09:42:00.842478Z", "number": "19", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-01T13:13:15.283949Z", "number": "20", "summary": "NCSC Score updated." } ], "status": "interim", "version": "20" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/1.0.0", "product": { "name": "vers:unknown/1.0.0", "product_id": "CSAFPID-5643110", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@1.0.0" } } }, { "category": "product_version_range", "name": "vers:unknown/1.0.1", "product": { "name": "vers:unknown/1.0.1", "product_id": "CSAFPID-5643111", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@1.0.1" } } }, { "category": "product_version_range", "name": "vers:unknown/1.0.2", "product": { "name": "vers:unknown/1.0.2", "product_id": "CSAFPID-5643113", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@1.0.2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0", "product": { "name": "vers:unknown/2.0.0", "product_id": "CSAFPID-5643115", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@2.0.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.1", "product": { "name": "vers:unknown/2.0.1", "product_id": "CSAFPID-5643117", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@2.0.1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0", "product": { "name": "vers:unknown/2.1.0", "product_id": "CSAFPID-5643119", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@2.1.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.0", "product": { "name": "vers:unknown/2.2.0", "product_id": "CSAFPID-5643121", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@2.2.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.0.0", "product": { "name": "vers:unknown/3.0.0", "product_id": "CSAFPID-5643122", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.0.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.0.1", "product": { "name": "vers:unknown/3.0.1", "product_id": "CSAFPID-5643124", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.0.1" } } }, { "category": "product_version_range", "name": "vers:unknown/3.0.2", "product": { "name": "vers:unknown/3.0.2", "product_id": "CSAFPID-5643126", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.0.2" } } }, { "category": "product_version_range", "name": "vers:unknown/3.1.0", "product": { "name": "vers:unknown/3.1.0", "product_id": "CSAFPID-5643128", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.1.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.0", "product": { "name": "vers:unknown/3.2.0", "product_id": "CSAFPID-5643130", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.2.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.1", "product": { "name": "vers:unknown/3.2.1", "product_id": "CSAFPID-5643132", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.2.1" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.2", "product": { "name": "vers:unknown/3.2.2", "product_id": "CSAFPID-5643133", "product_identification_helper": { "purl": "pkg:composer/zumba/json-serializer@3.2.2" } } }, { "category": "product_version_range", "name": "vers:unknown/<3.2.3", "product": { "name": "vers:unknown/<3.2.3", "product_id": "CSAFPID-5657724" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<3.2.3", "product": { "name": "vers:unknown/>=0|<3.2.3", "product_id": "CSAFPID-5643135" } } ], "category": "product_name", "name": "json-serializer" } ], "category": "vendor", "name": "zumba" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5643366" } } ], "category": "product_name", "name": "php-zumba-json-serializer" } ], "category": "product_family", "name": "bookworm" } ], "category": "vendor", "name": "debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27206", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "notes": [ { "category": "description", "text": "### Description\n\nThe `zumba/json-serializer` library allows deserialization of PHP objects from JSON using a special `@type` field.\n\nPrior to version 3.2.3, the deserializer would instantiate any class specified in the `@type` field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application.\n\nIf a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as `__wakeup()` or `__destruct()`), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies.\n\nThis behavior is similar in risk profile to PHP's native `unserialize()` when used without the `allowed_classes` restriction.\n\n### Impact\n\nThis vulnerability allows instantiation of arbitrary PHP classes via the `@type` field when deserializing JSON.\n\nApplications are impacted only if:\n* Untrusted or attacker-controlled JSON is passed into `JsonSerializer::unserialize()`, and\n* The application or its dependencies contain classes that can be leveraged as a gadget chain.\n\nSuccessful exploitation may lead to:\n* Arbitrary code execution\n* Data exfiltration\n* File manipulation\n* Denial of service\n\nApplications that only deserialize trusted data are not affected.\n\n### Patches\n\nThis issue is mitigated in version 3.2.3.\n\nVersion 3.2.3 introduces the method: `setAllowedClasses(?array $allowedClasses)`\n\nThis allows applications to restrict which classes may be instantiated during deserialization, similar to PHP's native `unserialize()` `allowed_classes` option.\n\nUsers should upgrade to version 3.2.3 or later and configure an appropriate class allowlist.\n\n### Workarounds\n\nIf upgrading is not immediately possible, applications should ensure that:\n* `JsonSerializer::unserialize()` is never called on untrusted or attacker-controlled JSON.\n* JSON input is validated and sanitized before deserialization.\n* Object instantiation via `@type` is disabled in application logic where possible.\n\nAfter upgrading, users can mitigate risk by explicitly configuring:\n\n```php\n$serializer->setAllowedClasses([]);\n```\n\nto disable all object instantiation, or by providing a strict allowlist of safe classes.\n\n### References\n\n* CWE-502: https://cwe.mitre.org/data/definitions/502.html\n* PHP `unserialize()` documentation: https://www.php.net/manual/en/function.unserialize.php\n* OWASP PHP Object Injection: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection", "title": "github - https://github.com/advisories/GHSA-v7m3-fpcr-h7m2" }, { "category": "description", "text": "### Description\n\nThe `zumba/json-serializer` library allows deserialization of PHP objects from JSON using a special `@type` field.\n\nPrior to version 3.2.3, the deserializer would instantiate any class specified in the `@type` field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application.\n\nIf a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as `__wakeup()` or `__destruct()`), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies.\n\nThis behavior is similar in risk profile to PHP's native `unserialize()` when used without the `allowed_classes` restriction.\n\n### Impact\n\nThis vulnerability allows instantiation of arbitrary PHP classes via the `@type` field when deserializing JSON.\n\nApplications are impacted only if:\n* Untrusted or attacker-controlled JSON is passed into `JsonSerializer::unserialize()`, and\n* The application or its dependencies contain classes that can be leveraged as a gadget chain.\n\nSuccessful exploitation may lead to:\n* Arbitrary code execution\n* Data exfiltration\n* File manipulation\n* Denial of service\n\nApplications that only deserialize trusted data are not affected.\n\n### Patches\n\nThis issue is mitigated in version 3.2.3.\n\nVersion 3.2.3 introduces the method: `setAllowedClasses(?array $allowedClasses)`\n\nThis allows applications to restrict which classes may be instantiated during deserialization, similar to PHP's native `unserialize()` `allowed_classes` option.\n\nUsers should upgrade to version 3.2.3 or later and configure an appropriate class allowlist.\n\n### Workarounds\n\nIf upgrading is not immediately possible, applications should ensure that:\n* `JsonSerializer::unserialize()` is never called on untrusted or attacker-controlled JSON.\n* JSON input is validated and sanitized before deserialization.\n* Object instantiation via `@type` is disabled in application logic where possible.\n\nAfter upgrading, users can mitigate risk by explicitly configuring:\n\n```php\n$serializer->setAllowedClasses([]);\n```\n\nto disable all object instantiation, or by providing a strict allowlist of safe classes.\n\n### References\n\n* CWE-502: https://cwe.mitre.org/data/definitions/502.html\n* PHP `unserialize()` documentation: https://www.php.net/manual/en/function.unserialize.php\n* OWASP PHP Object Injection: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-v7m3-fpcr-h7m2.json?alt=media" }, { "category": "description", "text": "Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27206" }, { "category": "description", "text": "Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27206" }, { "category": "description", "text": "Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27206.json?alt=media" }, { "category": "description", "text": "Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27206" }, { "category": "other", "text": "0.00388", "title": "EPSS" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Cveprojectv5", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is cwe data available from source Nvd, Is related to CWE-502 (Deserialization of Untrusted Data)", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5643110", "CSAFPID-5643111", "CSAFPID-5643113", "CSAFPID-5643115", "CSAFPID-5643117", "CSAFPID-5643119", "CSAFPID-5643121", "CSAFPID-5643122", "CSAFPID-5643124", "CSAFPID-5643126", "CSAFPID-5643128", "CSAFPID-5643130", "CSAFPID-5643132", "CSAFPID-5643133", "CSAFPID-5643135", "CSAFPID-5643366", "CSAFPID-5657724" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-v7m3-fpcr-h7m2" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-v7m3-fpcr-h7m2" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-v7m3-fpcr-h7m2.json?alt=media" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27206" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27206" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27206" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27206" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27206.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27206" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27206.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/zumba/json-serializer/security/advisories/GHSA-v7m3-fpcr-h7m2" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/zumba/json-serializer/commit/bf26227879adefce75eb9651040d8982be97b881" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/zumba/json-serializer/releases/tag/3.2.3" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-v7m3-fpcr-h7m2" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27206.json" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27206" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5643110", "CSAFPID-5643111", "CSAFPID-5643113", "CSAFPID-5643115", "CSAFPID-5643117", "CSAFPID-5643119", "CSAFPID-5643121", "CSAFPID-5643122", "CSAFPID-5643124", "CSAFPID-5643126", "CSAFPID-5643128", "CSAFPID-5643130", "CSAFPID-5643132", "CSAFPID-5643133", "CSAFPID-5643135", "CSAFPID-5643366", "CSAFPID-5657724" ] } ], "title": "CVE-2026-27206" } ] }