CVE-2026-42569 CRITICAL

CVE-2026-42569: phpvms: /importer authorization bypass causing full database wipe

Vendor Phpvms

Product phpvms

Weakness CWE-284

Published May 9, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

Description

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

Key dates

Disclosure timeline

May 9, 2026 CVE published

May 12, 2026 Record updated