Security Advisory - Published 2026-07-01 - PHP / Business Apps

FrontAccounting and PHP app check: reports, attachments, uploads, and database logs

This batch covers PHP business apps where reports, uploads, and account data can expose database or file integrity. Focus on supported upgrades, log preservation, and removing unsupported public apps.

Defensive scope: check systems you own or are approved to repair. This page stays on version checks, exposure review, logs, patching, and compromise indicators.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-40521FrontAccountingbefore 2.4.20attachment uploads and web-root file changes8.8
CVE-2026-56124phpUploaderbefore 2.0.2uploaded file metadata and application logs8.7
CVE-2026-40523FrontAccountingbefore 2.4.20Audit Trail report logs and database errors8.1
CVE-2026-13559code-projects Real State Services1.0property listing requests and database logs7.5
CVE-2026-40522FrontAccountingbefore 2.4.20Bank Statement report logs and database errors7.1

What to check

  • FrontAccounting before 2.4.20, especially attachment upload, Audit Trail report, and Bank Statement report use.
  • phpUploader before 2.0.2, including uploaded file metadata, exposed application pages, and upload database records.
  • code-projects Real State Services 1.0 when it is still reachable from a public domain.
  • Database logs, report output files, uploaded files, account changes, and backups created during the exposure window.

Safe fix path

  1. Patch FrontAccounting to 2.4.20 or newer before reviewing reports and attachments.
  2. Update phpUploader to 2.0.2 or newer, or remove it from public hosting if it is no longer maintained.
  3. Remove unsupported demo PHP apps from production domains and shared hosting accounts.
  4. Preserve database logs, report exports, upload metadata, and file timestamps before cleanup.

Compromise indicators

  • Unexpected report exports, long-running report requests, or database errors around report pages.
  • New or changed files in upload, attachment, or web-root directories.
  • Uploaded file metadata visible where it should not be, or unexpected records in upload tables.
  • Unknown administrator accounts, changed customer records, or backups created outside the normal maintenance window.

When to ask Ping7 for repair

Use Ping7 CVE Repair when database integrity is uncertain, file changes need review, unsupported PHP apps must be removed, or cleanup must preserve logs before patching.

References