Security news bulletin February 2026
CVE–2026–24765 — Unsafe Deserialization in PHPUnit
CVE-2026-24765
Released: January 27, 2026
Last Updated: January 27, 2026
Vendor: PHPUnit / Open Source Project
Attack Tags: Insecure Deserialization, PHP, Automated Testing, DevOps, CI/CD
Severity: High
What Is CVE-2026-24765?
CVE-2026-24765 is a high-severity vulnerability in PHPUnit where the framework unsafely deserializes code coverage files (.coverage) during PHPT test execution. Deserialization is the process of converting stored data back into PHP objects — but if the data is malicious and not validated properly, this can become a security risk.
In this case:
- PHPUnit reads and unserializes .coverage files without validating their content.
- An attacker who can write a crafted .coverage file to the project/test directory may trigger arbitrary code execution when PHPUnit runs tests with code coverage enabled.
Unlike normal operation, a .coverage file shouldn’t already exist before tests run — so this anomalous state makes exploitation possible if attackers can put files on the system.
Affected Versions
PHPUnit versions prior to the following releases are impacted:
- 8.x before 8.5.52
- 9.x before 9.6.33
- 10.x before 10.5.62
- 11.x before 11.5.50
- 12.x before 12.5.8
These include production setups where PHPUnit is part of the test suite and CI/CD jobs with code coverage enabled.
Observed Attack Activity
So far, there are no widespread reports of public active exploits in the wild. However, this vulnerability is especially relevant in environments where attackers can inject files into repositories or build systems, such as:
- CI/CD pipelines or automated builds (e.g., via malicious pull requests)
- Local development environments with weak access controls
- Compromised dependencies that introduce malicious coverage files
Because it enables remote code execution (RCE) during test runs, it’s particularly risky in automated systems that run tests frequently and have access to internal resources.
Why It Matters
Unsafe deserialization is a well-known class of vulnerability (CWE-502) that can lead to:
- Arbitrary execution of PHP code
- Complete takeover of dev/test build servers
- Shell or backdoor persistence on CI runners
- Compromise of development credentials or source code
This is especially concerning for development teams and DevOps pipelines where PHPUnit is integrated into automated workflows.
Additional Resources
For more details and official entries on this issue:
- Official CVE Record — CVE.org
www.cve.org/CVERecord - NVD — National Vulnerability Database
nvd.nist.gov/vuln/detail/CVE-2026-24765 - GitLab Advisory on PHPUnit Deserialization
advisories.gitlab.com/pkg/composer/phpunit/phpunit/CVE-2026-24765/ - Technical Analysis & Threat Write-up
www.miggo.io/vulnerability-database/cve/CVE-2026-24765
How We Can Help
Security vulnerabilities in testing tools like PHPUnit can impact even the development phase of software delivery. We support teams by offering:
- · Dependency vulnerability scanning in development and CI/CD workflows
- · Secure configuration checks for PHP and testing frameworks
- · CI/CD pipeline hardening consulting
- · Code review and secure deserialization guidance
- · Continuous monitoring and incident response support
Reach out to strengthen your DevOps security posture and avoid tertiary pipeline compromises.
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
CVE-2026-24747
Published: 2026-01-27
Severity: Critical
Product: Pytorch
Version affected: < 2.10.0
CWE-502: Deserialization of Untrusted Data
CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
Attack Tags: PyTorch, Python, Machine Learning, Unsafe Deserialization
What is CVE-2026-24747?
CVE-2026-24747 is a critical deserialization vulnerability in PyTorch, a widely used Python framework for machine learning and tensor computation. The flaw exists in the ‘weights_only’ unpickler used during model checkpoint loading and can allow attackers to execute arbitrary code when a malicious checkpoint file ‘(.pth)’ is loaded using ‘torch.load()’.
Despite the intended safety controls of the ‘weights_only’ option, a crafted checkpoint file can bypass restrictions, resulting in remote code execution (RCE) in the context of the running application. This makes the vulnerability particularly dangerous in environments where models are loaded automatically or sourced from third parties.
Given PyTorch’s widespread use across AI research, enterprise machine learning platforms, CI/CD pipelines, and cloud-based inference services, CVE-2026-24747 presents a significant supply-chain and operational risk.
Observed Attack Activity
Following successful exploitation, attackers have been observed engaging in the following activities:
- Execute arbitrary Python code on affected systems
- Steal credentials, API keys, and environment secrets
- Compromise machine learning pipelines and inference services
- Move laterally within shared research, containerized, or cloud environments
- Establish persistence within development or production systems
This vulnerability highlights the increasing risk of treating machine learning models as trusted data, as they can effectively function as executable content.
Additional Resources
- CVE.org Official Record www.cve.org/CVERecord
- Red Hat Security Data access.redhat.com/security/cve/cve-2026-24747
- SentinelOne Vulnerability Database www.sentinelone.com/vulnerability-database/cve-2026-24747/
- OWASP – Insecure Deserialization owasp.org/www-community/vulnerabilities/Insecure_Deserialization
How we can help
Modern AI and ML environments require security beyond traditional patching. Our IT Managed Services and Security Operations teams help organizations protect their machine learning workloads by providing:
- Continuous vulnerability management and dependency monitoring
- Secure configuration and hardening of ML pipelines
- 24×7 monitoring, incident detection, and response
- Cloud and CI/CD pipeline security support
TYPO3 CMS Insecure Deserialization Vulnerability
CVE-2026-0859
Released: January 13, 2026
Last Updated: January 13, 2026
Vendor: TYPO3
Attack Tags: TYPO3 CMS, PHP, Insecure Deserialization, Local Privilege Escalation, Remote Code Execution
Severity: Medium
What is CVE-2026-0859?
CVE-2026-0859 is a medium-severity security vulnerability affecting TYPO3 CMS. The issue stems from insecure deserialization in TYPO3’s mailer file spool mechanism, which is used to queue and process outgoing emails.
Due to insufficient validation of serialized data, TYPO3 may process maliciously crafted spool files. If exploited, this can allow attackers with local write access to execute arbitrary PHP code on the web server, potentially leading to full application compromise.
Affected Versions
The vulnerability impacts the following TYPO3 CMS versions:
- 12.0.0 – 12.4.40
- 13.0.0 – 13.4.22
- 14.0.0 – 14.0.1
Organizations running these versions should consider themselves at risk until patched.
Observed Attack Activity
At the time of disclosure, there is no confirmed large-scale internet exploitation of CVE-2026-0859. However, this vulnerability is highly relevant in post-compromise scenarios, such as:
- Abuse by attackers who already gained limited system access
- Exploitation via vulnerable or misconfigured TYPO3 extensions
- Shared hosting environments with weak file permission controls
Once exploited, attackers can escalate privileges and gain persistent control over the TYPO3 environment.
Additional Resources
For more detailed technical information and official advisories, refer to the following sources:
- CVE.org – Official CVE Record
https://www.cve.org/CVERecord?id=CVE-2026-0859 - TYPO3 Security Advisories
https://typo3.org/security/advisory - OpenCVE – CVE Tracking & Updates
https://app.opencve.io/cve/CVE-2026-0859 - NVD – National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2026-0859
How We Can Help
Security issues like CVE-2026-0859 highlight the importance of continuous monitoring and proactive patch management.
Our security teams help organizations by providing:
- Continuous vulnerability assessment and patch management
- TYPO3 CMS security hardening and configuration reviews
- 24×7 monitoring and incident response support
- Compliance-aligned security reporting
Connect with our security experts to reduce risk and keep your CMS environments secure.
RCE Supply-Chain Attack on React Server Components
CVE-2025-55182
Released: Nov 29, 2025
CISA added the vulnerability to the Known Exploited Vulnerabilities: Dec 5, 2025
Attack Tags: React.js, JavaScript, Supply Chain, Remote Code Execution
Severity: Critical
What is React2Shell?
React2Shell is a critical remote code execution (RCE) vulnerability affecting React Server Components (RSC) and server-side rendering (SSR) implementations. Tracked as CVE-2025-55182, this flaw enables unauthenticated attackers to execute arbitrary commands on vulnerable servers, making it one of the most severe React security issues observed to date.
Threat actors have actively exploited React2Shell by abusing unsafe deserialization and insecure execution paths in React Server Components. Attackers send crafted HTTP requests to vulnerable React applications, triggering server-side code execution without authentication.
Because React is widely deployed across cloud platforms, microservices architectures, CI/CD pipelines, and developer portals, React2Shell presents a high-impact supply-chain risk. Compromised applications can be weaponized to attack downstream systems, third-party services, and internal infrastructure.
Observed Attack Activity
Following successful exploitation, attackers have been observed engaging in the following activities:
- Deployment of web shells for persistent unauthorized access.
- Theft of environment variables and secrets, including API keys and cloud credentials.
- Injection of malicious logic into CI/CD pipelines.
- Lateral movement within containerized and cloud environments.
- Pivoting from React applications to backend APIs, databases, and cloud resources.
Security researchers have observed both mass internet scanning and targeted intrusions, indicating use by financially motivated threat actors as well as more advanced adversaries seeking long-term persistence.
Additional Resources
- Microsoft Security Blog – Defending Against CVE-2025-55182 (React2Shell)
https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/ - The Hacker News – Critical RSC Bugs in React & Next.js (React2Shell)
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html - NetSPI Security Advisory – React Server Components Critical Vulnerability
https://www.netspi.com/newsroom/press-release/critical-vulnerability-cve-2025-55182/ - CERT-EU Security Advisory 2025-041
https://cert.europa.eu/publications/security-advisories/2025-041/
How we can help
Modern attacks like React2Shell demand more than one-time patching. Our IT Managed Services and Security Operations teams help organizations stay protected by providing:
- Ongoing patching, 24×7 monitoring, and compliance support.
- Continuous vulnerability management.
- Secure CI/CD pipeline and cloud workload protection.