Critical 9.4-Severity CVE-2026-42569 Exposes phpVMS Airline Platform to Unauthenticated Attacks

A critical vulnerability rated 9.4 on the CVSS scale has been disclosed in phpVMS, a PHP application used to run and simulate virtual airline operations. Tracked as CVE-2026-42569, the flaw allows unauthenticated attackers to access a legacy import feature—a security gap that could permit unauthorized data manipulation or system compromise without valid credentials. The severity score places this among the most serious recent disclosures for PHP-based web applications.

phpVMS serves as a backend platform for virtual airline management, handling flight simulations, pilot records, and operational data. Versions prior to 7.0.6 are affected, with the vulnerability stemming from an unprotected legacy import mechanism that failed to enforce proper authentication checks. The issue has been patched in version 7.0.6, but administrators running older deployments remain exposed to potential exploitation. The disclosure was published through security channels including Patchstack and The Hacker Wire.

The vulnerability raises immediate concerns for the virtual aviation community and any organization operating phpVMS in production environments. Unauthenticated access to import functionality could enable attackers to inject malicious data, compromise user accounts, or disrupt airline simulation operations. Security researchers advise immediate patching to version 7.0.6 or later, with particular urgency for publicly accessible installations. The incident highlights the persistent risks posed by legacy features in mature codebases and the importance of regular security audits for specialized web applications.