CVE
CVE-2026-42569
phpVMS has an /importer authorization bypass causing full database wipe
Security Advisory: Unauthenticated Access to Legacy Import Feature
Severity: Critical
Affected versions: phpVMS 7.x (up to 7.0.5)
Fixed in: v7.0.6
Component: Legacy importer
Summary
A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this feature is deprecated, parts of it remained accessible and operational.
Impact
A remote attacker could trigger internal processes that modify or delete application data, potentially resulting in:
- Data loss
- Service disruption
No authentication was required.
Remediation
- Update immediately to the latest patched version
- If unable to update:
- The release link has instructions on how to fix it (it's a one-line fix to comment out the routes)
Affected Versions
- Affected: phpVMS 7.x ≤ 7.0.5
- Not affected: phpVMS >= 7.0.6, v8 (feature removed from public access)
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh, https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc, https://github.com/phpvms/phpvms, https://github.com/phpvms/phpvms/releases/tag/7.0.7
Basic Information
Ecosystem
