CVE-2026-42569
Published: 09 May 2026
Summary
CVE-2026-42569 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
phpVMS is a PHP application used to run and simulate airline operations. Prior to version 7.0.6, the software contained a vulnerability that permitted unauthenticated access to a legacy import feature. The issue is tracked under CVE-2026-42569 with a CVSS score of 9.4 and is associated with CWE-284, CWE-306, and CWE-862.
An unauthenticated attacker with network access could reach the unprotected legacy import functionality, resulting in limited confidentiality exposure alongside high integrity and availability impacts on the affected installation.
The vulnerability was addressed in phpVMS release 7.0.6, with the corresponding fix committed in the project repository and documented in the associated GitHub security advisory and subsequent 7.0.7 release notes.
The EPSS score reached a peak of 0.0326 with a current value of 0.0229, reflecting limited movement that does not indicate emerging exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28930
Vulnerability details
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to legacy import feature in public-facing PHP web app (CWE-306/862) directly enables remote exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before allowing access to the legacy import feature.
Requires identification and authentication of non-organizational users before permitting access to critical functions such as the import endpoint.
Restricts system functionality by disabling or removing legacy/unneeded import capabilities that should not be exposed.