Security News Bulletin - February 2026

Unsafe Deserialization in PHPUnit - CVE–2026–24765

CVE-2026-24765 
Released: January 27, 2026 
Last Updated: January 27, 2026 
Vendor: PHPUnit / Open Source Project 

Attack Tags: Insecure Deserialization, PHP, Automated Testing, DevOps, CI/CD 
Severity: High 

What Is CVE-2026-24765? 
 

CVE-2026-24765 is a high-severity vulnerability in PHPUnit where the framework unsafely deserializes code coverage files (.coverage) during PHPT test execution. 

Deserialization is the process of converting stored data back into PHP objects — but if the data is malicious and not validated properly, this can become a security risk. 

In this case: 

• PHPUnit reads and unserializes .coverage files without validating their content.
• An attacker who can write a crafted .coverage file to the project/test directory may trigger arbitrary code execution when PHPUnit runs tests with code coverage enabled.

Unlike normal operation, a. coverage file shouldn’t already exist before tests run — so this anomalous state makes exploitation possible if attackers can put files on the system. 

Affected Versions
 

PHPUnit versions prior to the following releases are impacted:

• 8.x before 8.5.52
• 9.x before 9.6.33
• 10.x before 10.5.62
• 11.x before 11.5.50
• 12.x before 12.5.8

These include production setups where PHPUnit is part of the test suite and CI/CD jobs with code coverage enabled.

Observed Attack Activity
 

So far, there are no widespread reports of public active exploits in the wild.

However, this vulnerability is especially relevant in environments where attackers can inject files into repositories or build systems, such as: 

• CI/CD pipelines or automated builds (e.g., via malicious pull requests)
• Local development environments with weak access controls
• Compromised dependencies that introduce malicious coverage files

Because it enables remote code execution (RCE) during test runs, it’s particularly risky in automated systems that run tests frequently and have access to internal resources.

Why It Matters
 

Unsafe deserialization is a well-known class of vulnerability (CWE-502) that can lead to:

• Arbitrary execution of PHP code
• Complete takeover of dev/test build servers
• Shell or backdoor persistence on CI runners
• Compromise of development credentials or source code

This is especially concerning for development teams and DevOps pipelines where PHPUnit is integrated into automated workflows.

Additional Resources
 

For more details and official entries on this issue:

1. Official CVE Record — CVE.org 
   www.cve.org/CVERecord
2. NVD — National Vulnerability Database 
   nvd.nist.gov/vuln/detail/CVE-2026-24765
3. GitLab Advisory on PHPUnit Deserialization 
   advisories.gitlab.com/pkg/composer/phpunit/phpunit/CVE-2026-24765/
4. Technical Analysis & Threat Write-up 
   www.miggo.io/vulnerability-database/cve/CVE-2026-24765

 

---

RCE Supply-Chain Attack on React Server Components – CVE-2025-55182

CVE-2025-55182 
Released: Nov 29, 2025 
CISA added the vulnerability to the Known Exploited Vulnerabilities: Dec 5, 2025 

Attack Tags: React.js, JavaScript, Supply Chain, Remote Code Execution 
Severity: Critical 

What is React2Shell? 
 

React2Shell is a critical remote code execution (RCE) vulnerability affecting React Server Components (RSC) and server-side rendering (SSR) implementations. Tracked as CVE-2025-55182, this flaw enables unauthenticated attackers to execute arbitrary commands on vulnerable servers, making it one of the most severe React security issues observed to date. 

Threat actors have actively exploited React2Shell by abusing unsafe deserialization and insecure execution paths in React Server Components. Attackers send crafted HTTP requests to vulnerable React applications, triggering server-side code execution without authentication. 

Because React is widely deployed across cloud platforms, microservices architectures, CI/CD pipelines, and developer portals, React2Shell presents a high-impact supply-chain risk. Compromised applications can be weaponized to attack downstream systems, third-party services, and internal infrastructure. 

Observed Attack Activity 
 

Following successful exploitation, attackers have been observed engaging in the following activities:

• Deployment of web shells for persistent unauthorized access.
• Theft of environment variables and secrets, including API keys and cloud credentials.
• Injection of malicious logic into CI/CD pipelines.
• Lateral movement within containerized and cloud environments.
• Pivoting from React applications to backend APIs, databases, and cloud resources.

Security researchers have observed both mass internet scanning and targeted intrusions, indicating use by financially motivated threat actors as well as more advanced adversaries seeking long-term persistence.

Additional Resources
 

1. Microsoft Security Blog – Defending Against CVE-2025-55182 (React2Shell)
   https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
2. The Hacker News – Critical RSC Bugs in React & Next.js (React2Shell) 
   https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
3. NetSPI Security Advisory – React Server Components Critical Vulnerability 
   https://www.netspi.com/newsroom/press-release/critical-vulnerability-cve-2025-55182/
4. CERT-EU Security Advisory 2025-041 
   https://cert.europa.eu/publications/security-advisories/2025-041/

 

---