Security Advisory - Published 2026-06-18 - PHP / Database Backends
PHP backend CVEs: patch admin tools, check database users, preserve logs
This batch covers Pimcore, Azuriom, a PHP bus-ticket app, and MySQL Shell for VS Code. The common risk is backend control: CMS admins, server tokens, database access, or developer tooling with saved connections.
Affected systems
| CVE | Product | Marker | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-55740 | bus-ticket | SQL | 9.8 | |
| CVE-2026-54415 | Azuriom CMS | 1.2.11 | Tokens | 8.6 |
| CVE-2026-11407 | Pimcore CMS/DXP | 12.3.8 | Admin | 8.6 |
| CVE-2026-46870 | MySQL Shell for VS Code | 2026.2.0+9.6.1 | 8.5 |
Owner self-check
grep -Rni "pimcore\\|azuriom\\|bus_info.php\\|mysqlsh" . --include="composer.lock" --include="composer.json" --include="*.php" --include="package.json"
composer show pimcore/pimcore azuriom/azuriom 2>/dev/null
mysqlsh --version 2>/dev/null
find . -type f -mtime -10 | egrep '\\.php$|composer\\.lock|\\.env|\\.sql$' What to review
- Pimcore class definition and template changes made by administrative users.
- Azuriom server tokens, AzLink activity, email changes, and password changes.
- Public PHP ticketing or booking apps that connect to MySQL with broad privileges.
- MySQL Shell for VS Code users, saved connection profiles, and unexpected database activity.
Safe fix path
- Patch Pimcore, Azuriom, and MySQL tooling to the fixed release listed by the vendor.
- Remove abandoned demo PHP apps from public hosting. Fix database credentials before restoring exposure.
- Change database users away from broad or shared privileges and rotate exposed credentials.
- Preserve web, application, database, and admin audit logs before cleanup.
Repair help
Use Ping7 CVE Repair when a PHP backend had public access, unknown admin changes, database errors, changed server tokens, or suspicious MySQL activity during the exposure window.