CVE-2026-42569
published 2026-05-09CVE-2026-42569: phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a…
PriorityP267critical9.4CVSS 3.1
AVNACLPRNUINSUCLIHAH
EXPLOIT
EPSS
1.17%
63.6th percentile
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nabeel | phpvms | >= 0 < 7.0.6 | 7.0.6 |
| phpvms | phpvms | < 7.0.6 | 7.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the /importer endpoint returning HTTP 200 with legacy importer page content ↗
- →Flag HTTP 200 responses to GET /importer containing any of the strings: 'Import Configuration', 'Database Config', 'Start Importer', 'WIPE OUT YOUR EXISTING DATA', or 'importer/config' — these indicate the legacy importer is accessible without authentication ↗
- →Exploit requires no special privileges — a single unauthenticated GET request to /importer is sufficient to confirm exposure ↗
- ·Vulnerability is only present in phpVMS versions prior to 7.0.6; patched installations will redirect or deny access to /importer ↗
- ·The Nuclei template uses a single GET request (max-request: 1), meaning detection is lightweight but relies on the importer page being rendered with identifiable strings in the response body ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
nuclei·CVSS 9.4
CVE-2026-42569 [CRITICAL] phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
Template:
id: CVE-2026-42569
info:
name: phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
author: 0x_Akoko
severity: critical
description: |
phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
impact: |
Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
remedi
No writeups or analysis indexed.
2026-05-09
Published