zumba/json-serializer < 3.2.3 Remote Code Execution via Unsafe Deserialization (CVE-2026-27206)
A Remote Code Execution vulnerability in zumba/json-serializer versions prior to 3.2.3 allows attackers to instantiate arbitrary PHP objects using the @type field during deserialization. If a suitable gadget chain exists in the application, this can lead to full Remote Code Execution.