Threat Advisory

phpVMS Vulnerability Enables Full Database Wipe

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42569 with a CVSS score of 9.4 is a critical authentication bypass vulnerability in phpVMS, allowing an attacker to access the /importer feature without proper authorization, resulting in a full database wipe. The affected product is phpVMS version 7.x, specifically up to 7.0.5. Although the /importer feature is deprecated, it remained accessible and operational, allowing a remote attacker to trigger internal processes that modify or delete application data. An attacker can exploit this vulnerability by accessing the /importer endpoint without any authentication or authorization requirements, gaining the capability to manipulate and delete sensitive data. If exploited, this vulnerability can lead to significant business impact and consequences, including data loss and potentially disrupting business operations. To exploit this vulnerability, an attacker requires no privileges or user interaction, and the attack vector is remote, making it a high-severity threat.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42569 with a CVSS score of 9.4 is a critical authentication bypass vulnerability in phpVMS, allowing an attacker to access the /importer feature without proper authorization, resulting in a full database wipe. The affected product is phpVMS version 7.x, specifically up to 7.0.5. Although the /importer feature is deprecated, it remained accessible and operational, allowing a remote attacker to trigger internal processes that modify or delete application data. An attacker can exploit this vulnerability by accessing the /importer endpoint without any authentication or authorization requirements, gaining the capability to manipulate and delete sensitive data. If exploited, this vulnerability can lead to significant business impact and consequences, including data loss and potentially disrupting business operations. To exploit this vulnerability, an attacker requires no privileges or user interaction, and the attack vector is remote, making it a high-severity threat.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update phpVMS to version 7.0.6.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-fv26-4939-62fh

[/emaillocker]
crossmenu