| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2026-42569 | 9 May 202619:21 | โ | attackerkb | |
| CVE-2026-42569 | 9 May 202621:00 | โ | circl | |
| phpVMS 8 ่ฎฟ้ฎๆงๅถ้่ฏฏๆผๆด | 9 May 202600:00 | โ | cnnvd | |
| CVE-2026-42569 | 9 May 202619:21 | โ | cve | |
| CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe | 9 May 202619:21 | โ | cvelist | |
| EUVD-2026-28930 | 9 May 202619:21 | โ | euvd | |
| phpVMS has an /importer authorization bypass causing full database wipe | 4 May 202621:20 | โ | github | |
| CVE-2026-42569 | 9 May 202620:16 | โ | nvd | |
| GHSA-FV26-4939-62FH phpVMS has an /importer authorization bypass causing full database wipe | 4 May 202621:20 | โ | osv | |
| ๐ phpVMS 7.0.5 Unauthenticated Import Endpoint Bypass | 9 Jun 202600:00 | โ | packetstorm |
id: CVE-2026-42569
info:
name: phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
author: 0x_Akoko
severity: critical
description: |
phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
impact: |
Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
remediation: |
Update to version 7.0.6 or later.
reference:
- https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
- https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
- https://nvd.nist.gov/vuln/detail/CVE-2026-42569
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
cvss-score: 9.4
cve-id: CVE-2026-42569
epss-score: 0.01173
epss-percentile: 0.63711
cwe-id: CWE-284,CWE-306,CWE-862
metadata:
verified: true
max-request: 1
vendor: phpvms
product: phpvms
shodan-query: http.html:"phpvms"
fofa-query: app="phpVMS"
tags: cve,cve2026,phpvms,auth-bypass,unauth
http:
- method: GET
path:
- "{{BaseURL}}/importer"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(to_lower(body), "importer", "phpvms")'
- 'contains_any(body, "Import Configuration", "Database Config", "Start Importer", "WIPE OUT YOUR EXISTING DATA", "importer/config")'
condition: and
# digest: 490a004630440220135e92034f895dae3fbbd386d449010cdb4edf63e60bd2f9f6f5db7ff4db94630220277cfe75e8bb7fa3337f32c17c4f04094f013a3008b8e5026e398416ab48560b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation