{"id":"CVE-2026-42569","summary":"phpvms: /importer authorization bypass causing full database wipe","details":"phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.","aliases":["GHSA-fv26-4939-62fh"],"modified":"2026-07-08T08:13:25.411381217Z","published":"2026-05-09T19:21:48.592Z","database_specific":{"cwe_ids":["CWE-284","CWE-306","CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42569.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/phpvms/phpvms/releases/tag/7.0.6"},{"type":"WEB","url":"https://github.com/phpvms/phpvms/releases/tag/7.0.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42569.json"},{"type":"ADVISORY","url":"https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42569"},{"type":"FIX","url":"https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpvms/phpvms","events":[{"introduced":"0"},{"fixed":"f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc"},{"fixed":"c123426b7ca3aeb2d89082d908f62ee3e390bbce"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"7.0.6"}]}}],"versions":["7.0.6","7.0.5","7.0.4","7.0.3","7.0.2","7.0.1","7.0.0","7.0.0-beta.5","7.0.0-beta.4","7.0.0-beta.3","7.0.0-beta.2","v7.0.0-beta","v7.0.0-alpha2","v7.0.0-alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42569.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"}]}