MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 11 Pull Requests Packages Releases 5 Wiki Activity

security: AkeebaImporter uses unserialize() on untrusted filter data #75

New Issue
Closed
opened 2026-06-21 23:01:12 +00:00 by jmiller · 0 comments
jmiller commented 2026-06-21 23:01:12 +00:00
Owner
Copy Link
Copy Source

Severity: HIGH

AkeebaImporter at line 368 uses @unserialize($raw) on #__ak_profiles.filters data read from the database. PHP object injection via unserialize() is a known RCE vector when classes with __destruct()/__wakeup() are available.

Akeeba Backup has used JSON-encoded filters since v7+.

Fix

Replace unserialize() with json_decode(). If JSON parse fails, treat filters as empty.

File

  • src/Engine/AkeebaImporter.php:368-370
## Severity: HIGH `AkeebaImporter` at line 368 uses `@unserialize($raw)` on `#__ak_profiles.filters` data read from the database. PHP object injection via `unserialize()` is a known RCE vector when classes with `__destruct()`/`__wakeup()` are available. Akeeba Backup has used JSON-encoded filters since v7+. ## Fix Replace `unserialize()` with `json_decode()`. If JSON parse fails, treat filters as empty. ## File - `src/Engine/AkeebaImporter.php:368-370`
jmiller added the component: engine label 2026-06-21 23:01:12 +00:00
Sign in to join this conversation.
Labels
Clear labels
component: admin
Admin UI and views
 component: api
REST API
 component: engine
Backup/restore engine
 component: remote
Remote storage (FTP/GDrive)
 component: scheduler
Scheduled tasks
No labels component: engine
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#75
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?