GHSA-fv26-4939-62fh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fv26-4939-62fh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fv26-4939-62fh/GHSA-fv26-4939-62fh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fv26-4939-62fh
- Aliases
-
- CVE-2026-42569
- Published
- 2026-05-04T21:20:40Z
- Modified
- 2026-05-13T13:54:44.258293Z
- Severity
-
- 9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H CVSS Calculator
- Summary
- phpVMS has an /importer authorization bypass causing full database wipe
- Details
-
Security Advisory: Unauthenticated Access to Legacy Import Feature
Severity: Critical Affected versions: phpVMS 7.x (up to 7.0.5) Fixed in: v7.0.6 Component: Legacy importer
Summary
A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this feature is deprecated, parts of it remained accessible and operational.
Impact
A remote attacker could trigger internal processes that modify or delete application data, potentially resulting in:
- Data loss
- Service disruption
No authentication was required.
Remediation
- Update immediately to the latest patched version
- If unable to update:
- The release link has instructions on how to fix it (it's a one-line fix to comment out the routes)
Affected Versions
- Affected: phpVMS 7.x ≤ 7.0.5
- Not affected: phpVMS >= 7.0.6, v8 (feature removed from public access)
- Database specific
{ "cwe_ids": [ "CWE-284", "CWE-306", "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2026-05-04T21:20:40Z", "nvd_published_at": "2026-05-09T20:16:29Z", "severity": "CRITICAL" }- References
-
- https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
- https://nvd.nist.gov/vuln/detail/CVE-2026-42569
- https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
- https://github.com/phpvms/phpvms
- https://github.com/phpvms/phpvms/releases/tag/7.0.6
- https://github.com/phpvms/phpvms/releases/tag/7.0.7
Affected packages
Packagist / nabeel/phpvms
Package
- Name
- nabeel/phpvms
- Purl
- pkg:composer/nabeel/phpvms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.0.6