id: CVE-2026-42569

info:
  name: phpVMS < 7.0.6 - Legacy Importer Authorization Bypass
  author: 0x_Akoko
  severity: critical
  description: |
   phpVMS < 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges.
  impact: |
   Unauthenticated attackers can access restricted import functionality, potentially leading to unauthorized data manipulation or system compromise.
  remediation: |
   Update to version 7.0.6 or later.
  reference:
    - https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
    - https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42569
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
    cvss-score: 9.4
    cve-id: CVE-2026-42569
    epss-score: 0.01173
    epss-percentile: 0.63557
    cwe-id: CWE-284,CWE-306,CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: phpvms
    product: phpvms
    shodan-query: http.html:"phpvms"
    fofa-query: app="phpVMS"
  tags: cve,cve2026,phpvms,auth-bypass,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/importer"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(to_lower(body), "importer", "phpvms")'
          - 'contains_any(body, "Import Configuration", "Database Config", "Start Importer", "WIPE OUT YOUR EXISTING DATA", "importer/config")'
        condition: and
# digest: 490a0046304402207c79b99b0344bb964a44ea5c521b0bfc4b485bfeec305dd63e28f27497581ea10220730f596f7feef79cd02babafe21fe82f25b20759ebbb9cfa4cd9429209f42263:922c64590222798bb761d5b6d8e72950