Security Advisory - Published 2026-06-18 - PHP / Database Backends

PHP backend CVEs: patch admin tools, check database users, preserve logs

This batch covers Pimcore, Azuriom, a PHP bus-ticket app, and MySQL Shell for VS Code. The common risk is backend control: CMS admins, server tokens, database access, or developer tooling with saved connections.

Defensive scope: this page is for owned systems and approved incident review. It avoids exploit strings and focuses on inventory, patching, logs, and recovery.

Affected systems

CVEProductMarkerReviewCVSS
CVE-2026-55740bus-ticketSQL9.8
CVE-2026-54415Azuriom CMS1.2.11Tokens8.6
CVE-2026-11407Pimcore CMS/DXP12.3.8Admin8.6
CVE-2026-46870MySQL Shell for VS Code2026.2.0+9.6.18.5

Owner self-check

grep -Rni "pimcore\\|azuriom\\|bus_info.php\\|mysqlsh" . --include="composer.lock" --include="composer.json" --include="*.php" --include="package.json"
composer show pimcore/pimcore azuriom/azuriom 2>/dev/null
mysqlsh --version 2>/dev/null
find . -type f -mtime -10 | egrep '\\.php$|composer\\.lock|\\.env|\\.sql$'

What to review

  • Pimcore class definition and template changes made by administrative users.
  • Azuriom server tokens, AzLink activity, email changes, and password changes.
  • Public PHP ticketing or booking apps that connect to MySQL with broad privileges.
  • MySQL Shell for VS Code users, saved connection profiles, and unexpected database activity.

Safe fix path

  1. Patch Pimcore, Azuriom, and MySQL tooling to the fixed release listed by the vendor.
  2. Remove abandoned demo PHP apps from public hosting. Fix database credentials before restoring exposure.
  3. Change database users away from broad or shared privileges and rotate exposed credentials.
  4. Preserve web, application, database, and admin audit logs before cleanup.

Repair help

Use Ping7 CVE Repair when a PHP backend had public access, unknown admin changes, database errors, changed server tokens, or suspicious MySQL activity during the exposure window.

References