Security Advisory - Published 2026-06-22 - Self-hosted Apps

Craft CMS, phpMyFAQ, House-Rental, and Capgo: check versions and app logs

This batch covers public-facing self-hosted applications. The practical question is whether the vulnerable app was reachable and whether users, roles, database records, environment access, or PostgreSQL telemetry changed before the patch.

Defensive scope: this page is for owned systems and approved response work. Keep the review limited to inventory, logs, patching, and cleanup.

Affected systems

CVEProductAffectedReviewCVSS
CVE-2026-56396phpMyFAQbefore 4.1.4admin user changes, rights changes, and FAQ admin logs8.8
CVE-2026-56382Craft CMS5.5.0 through 5.9.13Composer lock files, admin field-layout changes, environment access, and logs8.6
CVE-2026-12775Montodel House-Rental-Managementrolling release before the reported fix statelogin logs, rental records, database errors, and changed users7.5
CVE-2026-56282Capgobefore 12.128.2replication endpoint exposure, PostgreSQL logs, and deployment telemetry6.9

Owner self-check

grep -Rni 'craftcms/cms\\|phpmyfaq\\|Capgo\\|House-Rental' composer.json composer.lock package.json pnpm-lock.yaml yarn.lock 2>/dev/null
find . -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.env$|\\.sql$|\\.log$|composer\\.lock|package-lock\\.json'
grep -Rni 'superadmin\\|rights\\|field layout\\|replication\\|postgres\\|login\\|sql error' storage logs var/log 2>/dev/null
grep -Rni 'CRAFT_SECURITY_KEY\\|DB_PASSWORD\\|DATABASE_URL' .env config 2>/dev/null

What to review

  • Craft CMS admin field-layout changes, Composer version, environment access, and admin sessions.
  • phpMyFAQ administrators, rights changes, user edits, and FAQ admin activity.
  • House-Rental login errors, database errors, changed rental records, and changed user accounts.
  • Capgo replication endpoint exposure, PostgreSQL logs, deployment telemetry, and public routes.

Safe fix path

  1. Patch to the fixed release where available. Remove unsupported public apps from exposure.
  2. Preserve web, app, database, and deployment logs before cleanup.
  3. Rotate database credentials, application keys, API keys, and admin passwords if exposure is confirmed.
  4. Recheck public routes after patching; stale proxies and old containers can keep vulnerable code reachable.

Repair help

Use Ping7 CVE Repair when a self-hosted app was public, admin rights changed, database records look wrong, or logs need review before the system is returned to normal traffic.

References

Author: Ping7 security team - Published: 2026-06-22 - Self-hosted app CVE batch - Defensive self-check only.