Description
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
Published: 2026-05-09
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical authorization bypass exists in phpVMS prior to version 7.0.6 that allows any unauthenticated user to invoke a legacy import process. This process is capable of overwriting or deleting the entire database, effectively erasing all flight, staff, and passenger records. The flaw stems from missing access controls, enabling attackers to execute privileged data‑management operations normally restricted to administrators.

Affected Systems

The vulnerability affects installations of phpVMS version 7.0.5 and earlier, specifically the open‑source phpVMS application distributed under the vendor phpvms:phpvms. Any instance running an unsupported or older release is susceptible.

Risk and Exploitability

The CVSS score of 9.4 denotes critical severity. While an EPSS score is not listed, the vulnerability can be exploited remotely without authentication, granting full control over the database. The flaw is not currently listed in CISA KEV and no public exploits are documented, yet the lack of authentication and the destructive impact pose a high risk to any internet‑connected phpVMS deployment.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading phpVMS to version 7.0.6 or later.
  • If an upgrade is not immediately possible, disable or delete the legacy /importer endpoint and enforce authentication for all import functionality.
  • Configure web‑application firewall or server rules to block unauthenticated requests to the importer script.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fv26-4939-62fh phpVMS has an /importer authorization bypass causing full database wipe
History

Sat, 09 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpvms
Phpvms phpvms
Vendors & Products Phpvms
Phpvms phpvms

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
Title phpvms: /importer authorization bypass causing full database wipe
Weaknesses CWE-284
CWE-306
CWE-862
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Phpvms Phpvms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:21:48.592Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42569

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.127

Modified: 2026-05-09T20:16:29.127

Link: CVE-2026-42569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:00:11Z

Weaknesses