Security Advisory - Published 2026-07-11 - PHP / CMS
PHP and CMS batch: check framework locks, uploads, forum attachments, and public APIs
This group covers PHP applications where a small framework or CMS flaw can expose sessions, uploads, attachments, inactive content, or configuration data. Treat it as an application integrity review, not only a dependency update.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-57584 | Phalcon | < 5.15.0 | routing rules, error logs, CPU spikes, and dependency locks | 8.7 |
| CVE-2026-54736 | Phalcon | < 5.14.1 | encrypted cookies, session data, auth flows, and dependency locks | 8.2 |
| CVE-2026-51924 | docuForm Client | 11.11c | upload folders, report files, executable files, and web logs | 8.1 |
| CVE-2026-51925 | docuForm Client | 11.11c | report pages, configuration reads, web logs, and modified files | 8.1 |
| CVE-2026-51926 | docuForm FSM Client | 11.11c | login responses, valid user exposure, brute-force noise, and access logs | 7.5 |
| CVE-2026-61450 | Grav CMS | < 2.0.2 | page authors, user/pages writes, configuration exposure, and admin logs | 7.1 |
| CVE-2026-39903 | Simple Machines Forum | 2.1 before 2.1.8; 3.0 before Alpha 5 | attachments, moderator actions, forum uploads, and member sessions | 7.1 |
| CVE-2026-57994 | phpMyFAQ | < 4.1.5 | FAQ API output, inactive entries, publication filters, and access logs | 6.9 |
What to check
- Composer locks, deployed framework versions, container images, and any bundled vendor copies.
- docuForm login behavior, report pages, upload folders, and recent file changes.
- Simple Machines Forum attachment approval history, moderator actions, uploads, and member sessions.
- Grav page author permissions, user/pages writes, admin logs, and configuration exposure.
- phpMyFAQ public API output, publication filters, inactive entries, and access logs.
Safe fix path
- Patch the application or framework first; if a fixed release is not available, remove public access to the affected feature.
- Preserve web logs, application logs, database logs, and file listings before cleanup.
- Review accounts, uploads, attachments, API output, and configuration reads during the exposure window.
- Rotate application secrets and user credentials if file or configuration integrity is uncertain.
Compromise indicators
- Unexpected uploads, changed report files, modified templates, or newly writable directories.
- Login noise that reveals valid users, account lockouts, or repeated access to sensitive report pages.
- Inactive FAQ entries exposed publicly or CMS pages changed outside normal editorial activity.
- Forum attachments approved or altered without a matching moderator action.
When to ask Ping7 for repair
Use Ping7 CVE Repair when public PHP apps have uploads, forums, support portals, FAQ data, or configuration files that need review before the service goes back online.