Lucene search
K

phpVMS < 7.0.6 - Legacy Importer Authorization Bypass

๐Ÿ—“๏ธย 06 Jul 2026ย 03:02:03Reported byย ProjectDiscoveryTypeย 
nuclei
ย nuclei
๐Ÿ”—ย github.com๐Ÿ‘ย 7ย Views

Unauthenticated access to the legacy importer in phpVMS before 7.0.6 bypasses authentication and exposes restricted import functionality.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-42569
9 May 202619:21
โ€“attackerkb
Circl
CVE-2026-42569
9 May 202621:00
โ€“circl
CNNVD
phpVMS 8 ่ฎฟ้—ฎๆŽงๅˆถ้”™่ฏฏๆผๆดž
9 May 202600:00
โ€“cnnvd
CVE
CVE-2026-42569
9 May 202619:21
โ€“cve
Cvelist
CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe
9 May 202619:21
โ€“cvelist
EUVD
EUVD-2026-28930
9 May 202619:21
โ€“euvd
Github Security Blog
phpVMS has an /importer authorization bypass causing full database wipe
4 May 202621:20
โ€“github
NVD
CVE-2026-42569
9 May 202620:16
โ€“nvd
OSV
GHSA-FV26-4939-62FH phpVMS has an /importer authorization bypass causing full database wipe
4 May 202621:20
โ€“osv
Packet Storm
๐Ÿ“„ phpVMS 7.0.5 Unauthenticated Import Endpoint Bypass
9 Jun 202600:00
โ€“packetstorm
Rows per page
id: CVE-2026-42569

info:
  name: phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
  author: 0x_Akoko
  severity: critical
  description: |
   phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
  impact: |
   Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
  remediation: |
   Update to version 7.0.6 or later.
  reference:
    - https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
    - https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42569
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
    cvss-score: 9.4
    cve-id: CVE-2026-42569
    epss-score: 0.01173
    epss-percentile: 0.63711
    cwe-id: CWE-284,CWE-306,CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: phpvms
    product: phpvms
    shodan-query: http.html:"phpvms"
    fofa-query: app="phpVMS"
  tags: cve,cve2026,phpvms,auth-bypass,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/importer"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(to_lower(body), "importer", "phpvms")'
          - 'contains_any(body, "Import Configuration", "Database Config", "Start Importer", "WIPE OUT YOUR EXISTING DATA", "importer/config")'
        condition: and
# digest: 490a004630440220135e92034f895dae3fbbd386d449010cdb4edf63e60bd2f9f6f5db7ff4db94630220277cfe75e8bb7fa3337f32c17c4f04094f013a3008b8e5026e398416ab48560b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 May 2026 02:44Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.4
EPSS0.01173
SSVC
7