What is the CVSS score of CVE-2026-42569?

CVE-2026-42569 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of phpVMS are affected by CVE-2026-42569?

CVE-2026-42569 affects phpVMS versions 7.x through 7.0.5 and enables unauthenticated remote attackers to delete entire databases through an unprotected legacy importer endpoint, potentially causing…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42569?

Yes, a public proof-of-concept exploit is available for CVE-2026-42569. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-42569?

Within 24 hours: Identify all phpVMS 7.x installations and confirm current versions via admin panel or GitHub repository check; isolate any running versions 7.0.5 or earlier from public internet access if immediate patching is not feasible. Within 7 days: upgrade all phpVMS installations to version 7.0.6 or later per vendor advisory GHSA-fv26-4939-62fh; verify upgrade completion and test importer endpoint access. Within 30 days: conduct database integrity audit to confirm no unauthorized modifications occurred; review access logs for /importer endpoint requests during vulnerable window; implement Web Application Firewall (WAF) rules blocking access to /importer endpoint as permanent compensating control.

phpVMS CVE-2026-42569

CRITICAL

Improper Access Control (CWE-284)

2026-05-04 https://github.com/phpvms/phpvms

GHSA-fv26-4939-62fh

Authentication Bypass

9.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.4 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 04, 2026 - 21:46 vuln.today

Analysis Generated

May 04, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

Security Advisory: Unauthenticated Access to Legacy Import Feature

Severity: Critical Affected versions: phpVMS 7.x (up to 7.0.5) Fixed in: v7.0.6 Component: Legacy importer

Summary

A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this feature is deprecated, parts of it remained accessible and operational.

Impact

A remote attacker could trigger internal processes that modify or delete application data, potentially resulting in:

Data loss
Service disruption

No authentication was required.

Remediation

Update immediately to the latest patched version
If unable to update:
The release link has instructions on how to fix it (it's a one-line fix to comment out the routes)

Affected Versions

Affected: phpVMS 7.x ≤ 7.0.5
Not affected: phpVMS >= 7.0.6, v8 (feature removed from public access)

Articles & Coverage 1

POC CVE-2026-42569: Unauthenticated Database Wipe in phpVMS ≤ 7.0.5 May 11, 2026

AnalysisAI

Unauthenticated remote attackers can trigger complete database wipes and data deletion in phpVMS 7.x through 7.0.5 by accessing an exposed legacy importer endpoint at /importer. The vulnerability stems from deprecated import functionality that remained publicly accessible without authentication checks, allowing remote data modification or destruction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify phpVMS installation

Delivery

Send POST to /importer/run

Exploit

Trigger unauthenticated import process

Execution

Execute database truncation/deletion

Impact

Achieve data loss and service disruption

Access

Identify phpVMS installation

Delivery

Send POST to /importer/run

Exploit

Trigger unauthenticated import process

Execution

Execute database truncation/deletion

Impact

Achieve data loss and service disruption

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of phpVMS 7.0 through 7.0.5. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents critical real-world risk despite absence from CISA KEV. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers a phpVMS installation through reconnaissance (Shodan search, subdomain enumeration, or direct targeting of virtual airline websites). They send an unauthenticated HTTP POST request to https://target.example/importer/run with a crafted payload designed to trigger the legacy import process with destructive parameters. …
Remediation	Primary fix: Upgrade immediately to phpVMS version 7.0.6 or later (vendor recommends 7.0.7 per advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all phpVMS 7.x installations and confirm current versions via admin panel or GitHub repository check; isolate any running versions 7.0.5 or earlier from public internet access if immediate patching is not feasible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42569 vulnerability details – vuln.today

Back

phpVMS CVE-2026-42569

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Security Advisory: Unauthenticated Access to Legacy Import Feature

Summary

Impact

Remediation

Affected Versions

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code