← back
CVE-2026-42569

phpvms: /importer authorization bypass causing full database wipe

CVSS 9.4 CRITICALEPSS 1.2%CWE-284CWE-306CWE-862
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Affected products
phpvms · phpvms
public PoCs found1
githubgithub.com/0xBlackash/CVE-2026-425690
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dchttps://github.com/phpvms/phpvms/releases/tag/7.0.6https://github.com/phpvms/phpvms/releases/tag/7.0.7https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh