Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-42569 -- CVSS 9.4 Vulnerability Briefing

CVE-2026-42569 | CVSS 9.4 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-42569 is an unauthenticated access control bypass vulnerability in phpVMS, an open-source PHP-based airline virtual management system, affecting all versions prior to 7.0.6.

Technical Detail

The flaw exists in a legacy import feature within phpVMS that fails to enforce authentication checks, allowing any unauthenticated remote user to access and interact with the endpoint directly. An attacker can trigger this by sending crafted HTTP requests to the legacy import route without supplying valid session credentials or tokens. Depending on the functionality exposed by the import feature, exploitation could lead to unauthorized data manipulation, data exfiltration, or potentially remote code execution if the import mechanism processes user-supplied files or commands.

Exploitation Status

No known exploit code has been observed in the wild as of May 16, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit at this time, though the unauthenticated nature of the flaw and its critical CVSS score of 9.4 make it a candidate for rapid weaponization once details become more widely circulated.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Organizations operating phpVMS instances exposed to the internet should treat this as an opportunistic exploitation risk given the low barrier to attack.

What To Do

Upgrade phpVMS to version 7.0.6 or later immediately, as this release contains the patch addressing the unauthenticated legacy import access. If an immediate upgrade is not feasible, restrict access to the legacy import endpoint at the web server or firewall level, blocking all unauthenticated external requests to that route. Organizations should audit web server access logs for unexpected or anomalous requests targeting import-related URI paths as a detection signal. Given the critical severity rating and the unauthenticated attack vector, patching should be treated as high priority regardless of current exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →