Security Advisory - Published 2026-06-19 - PHP / Self-hosted Apps
PHP app CVEs: patch public apps, review database writes, users, and uploads
This batch covers FileRise, PIAF-HMS, LMS, UBB.threads, Cotonti, Remark42, and phpMyFAQ. The common risk is self-hosted application state: shared links, database records, control-panel activity, API keys, comments, and files written by the application.
Affected systems
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-54414 | FileRise | before 3.16.0 | shared links, users.txt, upload folders, and new admin users | 9.8 |
| CVE-2026-54419 | PIAF-HMS | current public code | hotel records, PBX-HMS database users, and web logs | 9.8 |
| CVE-2026-55742 | Cotonti | 1.0.0 master branch | rights changes, group permissions, and admin sessions | 9.6 |
| CVE-2026-55741 | Cotonti | 1.0.0 master branch | configuration changes and admin sessions | 8.8 |
| CVE-2026-55744 | Cotonti | 1.0.0 master branch | PFS uploads, changed files, and user sessions | 8.6 |
| CVE-2026-40455 | LMS | before commit 4cb30a7 | tariff changes, database errors, and authenticated admin activity | 8.6 |
| CVE-2026-54222 | UBB.threads | confirmed in 7.7.5 | control panel members activity and database access | 8.6 |
| CVE-2026-48788 | Remark42 | 1.6.0 through 1.15.0 | comment content, moderator sessions, and site embeds | 8.2 |
| CVE-2026-55746 | Cotonti | 1.0.0 master branch | PFS folder titles and user-uploaded content | 7.6 |
| CVE-2026-49205 | phpMyFAQ | before 4.1.4 | API keys, content writes, and user permissions | 6.5 |
Owner self-check
grep -Rni 'FileRise\\|PIAF-HMS\\|phpMyFAQ\\|Cotonti\\|UBB.threads\\|LAN Management System\\|Remark42' . --include='composer.json' --include='*.php' --include='README*'
find . -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.sql$|users\\.txt|\\.zip$'
find . -type f -name '.env' -o -name 'config.php' -o -name 'settings.php'
grep -Rni 'api_key\\|webhook\\|shared\\|upload' . --include='*.php' --include='*.ini' --include='*.conf'What to review
- Public app exposure, demo installs, old PHP apps, and abandoned admin panels.
- Database records changed around the advisory window, especially rooms, tariffs, members, FAQ content, and users.
- Shared-folder links, API keys, upload directories, and files written outside normal media paths.
- New administrators, changed passwords, browser warnings, comment changes, and unexpected JavaScript in user-controlled content.
Safe fix path
- Patch to the vendor-fixed version where one exists. Remove unsupported public apps from exposure.
- Preserve web, PHP, database, and application logs before cleanup.
- Rotate database credentials and API keys if public endpoints were exposed.
- Restore files from a clean backup only after the application is patched or removed.
Repair help
Use Ping7 CVE Repair when a PHP app had public access, database records changed, uploads look suspicious, users appeared, or logs are too noisy to review manually.