SCA: security update for zumba/json-serializer (GHSA-v7m3-fpcr-h7m2)

high Tenable Self-Hosted Container Security Plugin ID 437876

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below,
the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer
instantiates any class specified in the @type field without restriction. When processing untrusted JSON
input, this behavior may allow an attacker to instantiate arbitrary classes available in the application.
If a vulnerable application passes attacker-controlled JSON into JsonSerializer::unserialize() and
contains classes with dangerous magic methods (such as __wakeup() or __destruct()), this may lead to PHP
Object Injection and potentially Remote Code Execution (RCE), depending on available gadget chains in the
application or its dependencies. This behavior is similar in risk profile to PHP's native unserialize()
when used without the allowed_classes restriction. Applications are impacted only if untrusted or
attacker-controlled JSON is passed into JsonSerializer::unserialize() and the application or its
dependencies contain classes that can be leveraged as a gadget chain. This issue has been fixed in version
3.2.3. If an immediate upgrade isn't feasible, mitigate the vulnerability by never deserializing untrusted
JSON with JsonSerializer::unserialize(), validating and sanitizing all JSON input before deserialization,
and disabling @type-based object instantiation wherever possible. (CVE-2026-27206)

See Also

https://github.com/advisories/GHSA-v7m3-fpcr-h7m2

Plugin Details

Severity: High

ID: 437876

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/20/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27206

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/19/2026

Vulnerability Publication Date: 2/19/2026

Reference Information

CVE: CVE-2026-27206

cwe: CWE-502