cbcvebase.
CVE-2026-42569
published 2026-05-09

CVE-2026-42569: phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a…

PriorityP267critical9.4CVSS 3.1
AVNACLPRNUINSUCLIHAH
EXPLOIT
EPSS
1.17%
63.6th percentile
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
nabeelphpvms>= 0 < 7.0.67.0.6
phpvmsphpvms< 7.0.67.0.6

Detection & IOCsextracted from sources · hover to see the quote

url/importer
othershodan: http.html:"phpvms"
otherfofa: app="phpVMS"
  • Detect unauthenticated GET requests to the /importer endpoint returning HTTP 200 with legacy importer page content
  • Flag HTTP 200 responses to GET /importer containing any of the strings: 'Import Configuration', 'Database Config', 'Start Importer', 'WIPE OUT YOUR EXISTING DATA', or 'importer/config' — these indicate the legacy importer is accessible without authentication
  • Exploit requires no special privileges — a single unauthenticated GET request to /importer is sufficient to confirm exposure
  • ·Vulnerability is only present in phpVMS versions prior to 7.0.6; patched installations will redirect or deny access to /importer
  • ·The Nuclei template uses a single GET request (max-request: 1), meaning detection is lightweight but relies on the importer page being rendered with identifiable strings in the response body
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.