Security Advisory - Published 2026-06-29 - PHP / MySQL
PHP app SQL injection check: YzmCMS installer and restaurant-management-system
This batch covers small PHP/MySQL applications where exposed installer or account-recovery paths can put the database at risk. The safest response is to remove public exposure, preserve logs, and verify database changes before reopening the site.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-13498 | yashpokharna2555 restaurent-management-system | no fixed version metadata | forgot-password and database logs | 7.5 |
| CVE-2026-13529 | YzmCMS | through 7.5 | installer and database logs | 5.6 |
What to check
- YzmCMS through 7.5, especially exposed installer paths and recent installation activity.
- The yashpokharna2555 restaurent-management-system project, especially public account-recovery pages.
- Database logs, changed administrator records, reset tokens, configuration changes, and unexpected new rows.
- Unsupported PHP demo apps that remain reachable from production domains or shared hosting accounts.
Safe fix path
- Remove installer and demo application exposure before starting cleanup.
- Preserve web logs, database logs, application config files, and recent backups.
- Patch supported systems. For unsupported projects, migrate or remove the application from public hosting.
- Rotate database credentials if logs show suspicious access or unknown configuration changes.
Compromise indicators
- Installer requests after the site was already deployed.
- Repeated forgot-password requests, unexpected reset tokens, or user email changes.
- Database errors, changed admin rows, unknown users, or altered site configuration values.
- New PHP files, changed upload directories, or backups created outside the normal maintenance window.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the app is still public, database integrity is unclear, unsupported PHP code must be removed, or logs need to be preserved before a hosting cleanup.