CVE-2026-42569

CRITICAL 9.4

phpvms: /importer authorization bypass causing full database wipe

CVSS Score

9.4

EPSS Score

0.0%

EPSS Percentile

12th

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

CWE	CWE-284 CWE-306 CWE-862
Vendor	phpvms
Product	phpvms
Published	May 9, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for phpvms phpvms

Be the first to know when new critical vulnerabilities affecting phpvms phpvms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Affected Versions

phpvms / phpvms

< 7.0.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh github.com: https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc github.com: https://github.com/phpvms/phpvms/releases/tag/7.0.6 github.com: https://github.com/phpvms/phpvms/releases/tag/7.0.7