CVE-2026-42475: MixPHP Framework has an SQL injection vulnerability

May 1, 2026 (updated May 7, 2026)

SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted on array to the joinOn function in BuildHelper.php.

References

gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
github.com/advisories/GHSA-vf35-8m4j-gm8v
github.com/mix-php/mix
github.com/mix-php/mix/blob/v2.2.17/src/database/src/Helper/BuildHelper.php
nvd.nist.gov/vuln/detail/CVE-2026-42475

Code Behaviors & Features

Detect and mitigate CVE-2026-42475 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →