Security Advisory - Published 2026-06-27 - PHP / CMS
PHP CMS batch: check Cacti, GeoVision, Pagekit, HTMLy, Genshi, and small PHP apps
This group covers PHP-facing apps and adjacent template or monitoring stacks. Treat it as an exposure review: public panels, old CMS builds, graph/report pages, file movement, uploaded files, and database query errors.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-0685 | Genshi Template Engine | vendor-fixed release | web and app logs | 9.8 |
| CVE-2026-57878 | GeoVision | vendor-fixed release | web and app logs | 9.8 |
| CVE-2026-57879 | GeoVision | vendor-fixed release | web and app logs | 9.8 |
| CVE-2026-57880 | GeoVision | vendor-fixed release | web and app logs | 9.8 |
| CVE-2026-57881 | GeoVision | vendor-fixed release | web and app logs | 9.8 |
| CVE-2026-57518 | Pagekit CMS | vendor-fixed release | web and app logs | 8.8 |
| CVE-2026-57877 | GeoVision | vendor-fixed release | web and app logs | 8.6 |
| CVE-2026-45233 | HTMLy CMS | through 3.1.1 | web and app logs | 8.1 |
| CVE-2026-37149 | Grocery Store Management System | vendor-fixed release | web and app logs | 7.7 |
| CVE-2026-57872 | GeoVision | vendor-fixed release | web and app logs | 7.5 |
| CVE-2026-57873 | GeoVision | vendor-fixed release | web and app logs | 7.5 |
| CVE-2026-57874 | GeoVision | vendor-fixed release | web and app logs | 7.5 |
| CVE-2026-57875 | GeoVision | vendor-fixed release | web and app logs | 7.5 |
| CVE-2026-57876 | GeoVision | vendor-fixed release | web and app logs | 7.5 |
| CVE-2026-40083 | Cacti | vendor-fixed release | Cacti and web logs | 7.2 |
| CVE-2026-40084 | Cacti | vendor-fixed release | Cacti and web logs | 6.5 |
| CVE-2026-40080 | Cacti | vendor-fixed release | Cacti and web logs | 6.1 |
| CVE-2026-39900 | Cacti | vendor-fixed release | Cacti and web logs | 6.1 |
What to check
- Cacti 1.2.30 and earlier, especially manager, report, auth profile, graph, and package import areas.
- GeoVision appliance or web components listed by the vendor advisory.
- Pagekit CMS 1.0.18 user-management permissions and administrator role changes.
- HTMLy CMS through 3.1.1 file movement, media paths, and low-privilege user activity.
- Genshi template engine 0.7.9 use in services that evaluate template expressions.
- Small PHP/MySQL apps exposed to the internet, especially grocery/store demo systems and phpMyAdmin-backed deployments.
Safe fix path
- Patch or remove the affected PHP application before attempting cleanup.
- Preserve web logs, application logs, database errors, and recent file timestamps.
- Review created users, changed roles, uploads, report output files, and unexpected redirects.
- Move unsupported demo or abandoned PHP apps behind authentication or remove them from public hosting.
Compromise indicators
- New users, role changes, unexpected sessions, or unknown API tokens.
- Files changed during the exposure window, especially executable files or generated configs.
- Repeated application errors, database errors, queue failures, or unusual outbound requests.
- Plugin, container, service, or package versions that differ from the expected deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected component is public, logs show suspicious activity, patching may break production, or cleanup requires file, database, user, token, or container review.