Security Advisory - Published 2026-06-12 - PHP Apps
PHP application CVEs: ClipBucket, BUK TS-G, openSIS, and CodeAstro HRMS
These are not generic library alerts. They map to running web apps that may hold media, patient, student, staff, payroll, or automation data. Confirm the app is really present, restrict access if it is exposed, then patch and review logs.
Affected apps
| CVE | App | Main risk | Fix direction |
|---|---|---|---|
| CVE-2026-45060 | ClipBucket v5 | Unauthenticated SQL injection in video progress handling. | Update to 5.5.3 #129 or newer. |
| CVE-2026-45418 | ClipBucket v5 | Authenticated uploader SQL injection in subtitle editing. | Update to 5.5.3 #132 or newer. |
| CVE-2026-47238 | ClipBucket v5 | Subtitle authorization weakness. | Include in ClipBucket 5.5.3 patch review. |
| CVE-2026-38581 | thaipalliative_lte | Critical SQL injection in study form handling. | Restrict public access and apply vendor fix. |
| CVE-2026-8406 | openSIS Classic 9.3 | Messaging module object authorization issue. | Apply upstream fix and audit message access. |
| CVE-2026-12131 | CodeAstro Human Resource Management System 1.0 | Payroll invoice SQL injection risk. | Restrict the payroll module, patch, and review invoice/database logs. |
| CVE-2026-12183 | BUK TS-G Gas Station Automation System | Critical authentication weakness in Linux system configuration handling. | Remove public access, apply vendor update, and review administrative/config changes. |
What to check first
find /var/www -maxdepth 4 -iname "clipbucket*" -o -iname "opensis*" -o -iname "*thaipalliative*" -o -iname "*human-resource*" -o -iname "*hrms*" -o -iname "*buk*" -o -iname "*ts-g*"
find /var/www -maxdepth 5 -iname ".env" -o -iname "config.php" | head -50
grep -R "ClipBucket\\|openSIS\\|thaipalliative\\|Payroll\\|Human Resource\\|BUK\\|TS-G" /etc/nginx /etc/apache2 2>/dev/null If the app is public and unpatched, put it behind access control while you back up the database and application files. Do not delete logs before checking whether data or accounts changed.
Compromise review
- Unexpected administrator, uploader, student, staff, or healthcare operator accounts.
- Database errors, slow queries, or unusual reads around media, form, messaging, payroll, or invoice routes.
- New PHP files in upload, cache, media, subtitle, or temporary directories.
- Changed payment, payroll, email, notification, upload, terminal, fuel, or system configuration settings.
Ping7 repair path
Ping7 can review exposed PHP apps, patch state, web logs, database logs, upload directories, and admin accounts. Use CVE Repair if the site contains customer, patient, student, payroll, or paid media data.