Cyber Resilience

CVE-2026-42569

Critical

Published: 09 May 2026

Published
09 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0117 63.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42569 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

phpVMS is a PHP application used to run and simulate airline operations. Prior to version 7.0.6, the software contained a vulnerability that permitted unauthenticated access to a legacy import feature. The issue is tracked under CVE-2026-42569 with a CVSS score of 9.4 and is associated with CWE-284, CWE-306, and CWE-862.

An unauthenticated attacker with network access could reach the unprotected legacy import functionality, resulting in limited confidentiality exposure alongside high integrity and availability impacts on the affected installation.

The vulnerability was addressed in phpVMS release 7.0.6, with the corresponding fix committed in the project repository and documented in the associated GitHub security advisory and subsequent 7.0.7 release notes.

The EPSS score reached a peak of 0.0326 with a current value of 0.0229, reflecting limited movement that does not indicate emerging exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated access to legacy import feature in public-facing PHP web app (CWE-306/862) directly enables remote exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70985Shared CWE-284, CWE-862
CVE-2025-70986Shared CWE-284, CWE-862
CVE-2025-70141Shared CWE-306, CWE-862
CVE-2026-25058Shared CWE-306, CWE-862
CVE-2026-44327Shared CWE-306, CWE-862
CVE-2026-44320Shared CWE-306, CWE-862
CVE-2026-44329Shared CWE-306, CWE-862
CVE-2026-42222Shared CWE-284, CWE-306
CVE-2026-33951Shared CWE-284, CWE-306
CVE-2026-39310Shared CWE-284, CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before allowing access to the legacy import feature.

prevent

Requires identification and authentication of non-organizational users before permitting access to critical functions such as the import endpoint.

prevent

Restricts system functionality by disabling or removing legacy/unneeded import capabilities that should not be exposed.

References