Description
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
Published: 2026-05-09
Score: 9.4 Critical
EPSS: 2.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical authorization bypass exists in phpVMS prior to version 7.0.6 that allows any unauthenticated user to invoke a legacy import process. This process is capable of overwriting or deleting the entire database, effectively erasing all flight, staff, and passenger records. The flaw stems from missing access controls, enabling attackers to execute privileged data‑management operations normally restricted to administrators.

Affected Systems

The vulnerability affects installations of phpVMS version 7.0.5 and earlier, specifically the open‑source phpVMS application distributed under the vendor phpvms:phpvms. Any instance running an unsupported or older release is susceptible.

Risk and Exploitability

The CVSS score of 9.4 denotes critical severity. The EPSS score of 2% indicates a moderate probability of exploitation, while the vulnerability can be exploited remotely without authentication, granting full control over the database. The flaw is not currently listed in CISA KEV and no public exploits are documented, yet the lack of authentication and the destructive impact pose a high risk to any internet‑connected phpVMS deployment.

Generated by OpenCVE AI on May 22, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading phpVMS to version 7.0.6 or later.
  • If an upgrade is not immediately possible, disable or delete the legacy /importer endpoint and enforce authentication for all import functionality.
  • Configure web‑application firewall or server rules to block unauthenticated requests to the importer script.

Generated by OpenCVE AI on May 22, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fv26-4939-62fh phpVMS has an /importer authorization bypass causing full database wipe
History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 09 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpvms
Phpvms phpvms
Vendors & Products Phpvms
Phpvms phpvms

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
Title phpvms: /importer authorization bypass causing full database wipe
Weaknesses CWE-284
CWE-306
CWE-862
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Phpvms Phpvms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:31:04.998Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42569

cve-icon Vulnrichment

Updated: 2026-05-12T13:54:09.182Z

cve-icon NVD

Status : Deferred

Published: 2026-05-09T20:16:29.127

Modified: 2026-05-13T14:54:50.290

Link: CVE-2026-42569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-862

    Missing Authorization