Security Advisory - Published 2026-07-01 - PHP / Business Apps
FrontAccounting and PHP app check: reports, attachments, uploads, and database logs
This batch covers PHP business apps where reports, uploads, and account data can expose database or file integrity. Focus on supported upgrades, log preservation, and removing unsupported public apps.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-40521 | FrontAccounting | before 2.4.20 | attachment uploads and web-root file changes | 8.8 |
| CVE-2026-56124 | phpUploader | before 2.0.2 | uploaded file metadata and application logs | 8.7 |
| CVE-2026-40523 | FrontAccounting | before 2.4.20 | Audit Trail report logs and database errors | 8.1 |
| CVE-2026-13559 | code-projects Real State Services | 1.0 | property listing requests and database logs | 7.5 |
| CVE-2026-40522 | FrontAccounting | before 2.4.20 | Bank Statement report logs and database errors | 7.1 |
What to check
- FrontAccounting before 2.4.20, especially attachment upload, Audit Trail report, and Bank Statement report use.
- phpUploader before 2.0.2, including uploaded file metadata, exposed application pages, and upload database records.
- code-projects Real State Services 1.0 when it is still reachable from a public domain.
- Database logs, report output files, uploaded files, account changes, and backups created during the exposure window.
Safe fix path
- Patch FrontAccounting to 2.4.20 or newer before reviewing reports and attachments.
- Update phpUploader to 2.0.2 or newer, or remove it from public hosting if it is no longer maintained.
- Remove unsupported demo PHP apps from production domains and shared hosting accounts.
- Preserve database logs, report exports, upload metadata, and file timestamps before cleanup.
Compromise indicators
- Unexpected report exports, long-running report requests, or database errors around report pages.
- New or changed files in upload, attachment, or web-root directories.
- Uploaded file metadata visible where it should not be, or unexpected records in upload tables.
- Unknown administrator accounts, changed customer records, or backups created outside the normal maintenance window.
When to ask Ping7 for repair
Use Ping7 CVE Repair when database integrity is uncertain, file changes need review, unsupported PHP apps must be removed, or cleanup must preserve logs before patching.