zumba json-serializer up to 3.2.2 unserialize deserialization

Summaryinfo

A vulnerability described as problematic has been identified in zumba json-serializer up to 3.2.2. Affected by this issue is the function JsonSerializer::unserialize. Such manipulation leads to deserialization. This vulnerability is uniquely identified as CVE-2026-27206. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in zumba json-serializer up to 3.2.2. It has been rated as problematic. Affected by this issue is the function JsonSerializer::unserialize. The manipulation with an unknown input leads to a deserialization vulnerability. Using CWE to declare the problem leads to CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may allow an attacker to instantiate arbitrary classes available in the application. If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize() when used without the allowed_classes restriction. Applications are impacted only if untrusted or attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version 3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization, and disabling @type-based object instantiation wherever possible.

The advisory is available at github.com. This vulnerability is handled as CVE-2026-27206 since 02/18/2026. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 299639 (Linux Distros Unpatched Vulnerability : CVE-2026-27206), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.2.3 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch bf26227879adefce75eb9651040d8982be97b881 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (299639). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• zumba

Name

• json-serializer

Version

• 3.2.0
• 3.2.1
• 3.2.2

License

• open-source

Website

• Product: https://github.com/zumba/json-serializer/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion