https://vulnerability.circl.lu/sightings/feed 2026-06-07T08:12:56.721172+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/73008952-7fec-4b43-9378-16f5fe72d786/export 2026-06-07T08:12:57.100232+00:00 Automation user https://cvepremium.circl.lu/user/automation {"uuid": "73008952-7fec-4b43-9378-16f5fe72d786", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42569", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlh5akau6l2l", "content": "\ud83d\udd34 CVE-2026-42569 - Critical (9.4)\n\nphpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vu...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42569/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-09T21:00:19.374356Z"} 2026-05-09T21:00:19.374356+00:00 https://vulnerability.circl.lu/sighting/58e91658-b42f-4497-a358-b5bdbfd17784/export 2026-06-07T08:12:57.100146+00:00 Automation user https://cvepremium.circl.lu/user/automation {"uuid": "58e91658-b42f-4497-a358-b5bdbfd17784", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42569", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlh742ogqh2i", "content": "CVE-2026-42569 - phpvms: /importer authorization bypass causing full database wipe\nCVE ID : CVE-2026-42569\n \n Published : May 9, 2026, 8:16 p.m. | 33\u00a0minutes ago\n \n Description : phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vul...", "creation_timestamp": "2026-05-09T21:33:35.759954Z"} 2026-05-09T21:33:35.759954+00:00 https://vulnerability.circl.lu/sighting/63cc79c3-e922-454b-8f61-a3d3919b4ff3/export 2026-06-07T08:12:57.100058+00:00 Automation user https://cvepremium.circl.lu/user/automation {"uuid": "63cc79c3-e922-454b-8f61-a3d3919b4ff3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42569", "type": "seen", "source": "Telegram/SIYC479cd7OXO6M3FHPVDiAtnkWrYOPv-oH3-0HRx7SmKZ4", "content": "", "creation_timestamp": "2026-05-11T15:00:07.000000Z"} 2026-05-11T15:00:07+00:00 https://vulnerability.circl.lu/sighting/d50dbe17-2b28-48bc-8442-a1a7ffcb8f85/export 2026-06-07T08:12:57.099943+00:00 Automation user https://cvepremium.circl.lu/user/automation {"uuid": "d50dbe17-2b28-48bc-8442-a1a7ffcb8f85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42569", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-42569.yaml", "content": "", "creation_timestamp": "2026-05-12T02:44:07.000000Z"} 2026-05-12T02:44:07+00:00 https://vulnerability.circl.lu/sighting/0e2ca2a8-2319-4933-83a9-0b56b8510f7a/export 2026-06-07T08:12:57.098461+00:00 Automation user https://cvepremium.circl.lu/user/automation {"uuid": "0e2ca2a8-2319-4933-83a9-0b56b8510f7a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42569", "type": "seen", "source": "https://gist.github.com/ImTopz/f2594fa5cfbb88d233b74eb182cef5cc", "content": "# Defensive Analysis: CVE-2026-42569 in phpVMS\n\n## Summary\n\nCVE-2026-42569 is a critical access-control issue in phpVMS, a PHP application used for virtual airline management. The affected versions are phpVMS releases before 7.0.6. The issue involved unauthenticated access to a deprecated legacy import feature that should not have remained reachable through normal web routing.\n\nThe impact is serious because importer and migration features can change application data. If that surface is exposed without authentication or authorization, operators can lose data integrity and availability. GitHub's advisory rates the issue as CVSS 3.1 9.4 Critical and maps it to CWE-284, CWE-306, and CWE-862.\n\nThis is a defensive review note. It does not include exploitation instructions. My goal is to document the affected versions, the failed trust boundary, the upstream fix, and practical checks operators can make after updating.\n\n## Affected Versions\n\n- Affected: phpVMS versions before 7.0.6\n- Fixed: phpVMS 7.0.6 and later\n- Follow-up release: 7.0.7\n\n## Public References\n\n- CVE AWG: https://cveawg.mitre.org/api/cve/CVE-2026-42569\n- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42569\n- GitHub Security Advisory: https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh\n- GitHub Advisory Database: https://github.com/advisories/GHSA-fv26-4939-62fh\n- Patch commit: https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc\n- phpVMS 7.0.6 release: https://github.com/phpvms/phpvms/releases/tag/7.0.6\n- phpVMS 7.0.7 release: https://github.com/phpvms/phpvms/releases/tag/7.0.7\n\n## Root Cause Boundary\n\nThis was an access-control failure around legacy web-facing importer functionality. It was not a browser-side script issue or a memory-corruption issue.\n\nThe important boundary is straightforward:\n\n- Migration and importer features should not remain exposed in normal production routes.\n- Critical data-changing paths must require authentication and authorization.\n- Deprecated setup or compatibility code should be removed, disabled by default, or protected behind an explicit operator-controlled gate.\n\nThe upstream advisory states that parts of the deprecated importer remained accessible and operational. The fix removes that web-facing importer exposure.\n\n## Patch Review\n\nThe patch commit removes the route mapping for the legacy importer and deletes associated importer views. The 7.0.6 release notes point to the advisory and state that the web-facing importer was removed. The 7.0.7 release repeats the advisory link and includes follow-up hardening around the installer.\n\nAt a high level, the fix moves phpVMS from:\n\n- legacy importer routes registered in the web application\n\nto:\n\n- legacy importer no longer exposed through web-facing routes\n\nThat is the right remediation shape for deprecated critical functionality. Removing the reachable surface is cleaner than trying to preserve it and add partial checks afterward.\n\n## Defensive Validation Plan\n\nFor a system you own or are authorized to review:\n\n1. Identify the deployed phpVMS version.\n2. Check whether it is older than 7.0.6.\n3. Review route registration or deployed release contents for legacy importer exposure.\n4. Upgrade to 7.0.6 or later, preferably 7.0.7 or newer.\n5. Confirm that the legacy importer is no longer web-facing.\n6. Review logs for unexpected access attempts to legacy importer paths.\n7. Back up application data before and after remediation.\n\n## Operator Remediation\n\n- Upgrade to phpVMS 7.0.6 or later.\n- Prefer the latest available 7.x release if it is compatible with the deployment.\n- If immediate upgrade is not possible, follow the mitigation guidance linked from the 7.0.6 / 7.0.7 release notes.\n- Restrict administrative, installer, importer, and migration paths at the web server or reverse proxy layer.\n- Review application logs for access to deprecated importer endpoints.\n- Keep backups available before making production changes.\n\n## Why This Case Is Useful\n\nAccess-control failures around legacy functionality are easy to miss in mature web applications. The primary login flow can be correct while an older installer, importer, debug route, or migration path remains reachable.\n\nCVE-2026-42569 is a compact example of why web application review needs both code review and deployment review. Code review catches route exposure and missing middleware. Deployment review catches whether deprecated paths are reachable in real environments. Patch review confirms whether the fix removes the exposed surface instead of only hiding it.\n\n## Attribution\n\nOriginal reporter credit in the GitHub advisory belongs to `peter-bosch`. This note is an independent defensive analysis and patch-validation summary based on public sources.\n\n## Status\n\nPublished by `ImTopz` for defensive review and CVP verification context.\n", "creation_timestamp": "2026-06-05T14:32:56.000000Z"} 2026-06-05T14:32:56+00:00