CVE-2026-42569: phpVMS has an /importer authorization bypass causing full database wipe

May 4, 2026

A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this feature is deprecated, parts of it remained accessible and operational.

References

github.com/advisories/GHSA-fv26-4939-62fh
github.com/phpvms/phpvms
github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
github.com/phpvms/phpvms/releases/tag/7.0.7
github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
nvd.nist.gov/vuln/detail/CVE-2026-42569

Code Behaviors & Features

Detect and mitigate CVE-2026-42569 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →