Security Advisory - Published 2026-06-12 - PHP Apps

PHP application CVEs: ClipBucket, BUK TS-G, openSIS, and CodeAstro HRMS

These are not generic library alerts. They map to running web apps that may hold media, patient, student, staff, payroll, or automation data. Confirm the app is really present, restrict access if it is exposed, then patch and review logs.

Defensive scope: this checklist avoids SQL strings and request details. It focuses on app inventory, account review, database safety, and cleanup.

Affected apps

CVEAppMain riskFix direction
CVE-2026-45060ClipBucket v5Unauthenticated SQL injection in video progress handling.Update to 5.5.3 #129 or newer.
CVE-2026-45418ClipBucket v5Authenticated uploader SQL injection in subtitle editing.Update to 5.5.3 #132 or newer.
CVE-2026-47238ClipBucket v5Subtitle authorization weakness.Include in ClipBucket 5.5.3 patch review.
CVE-2026-38581thaipalliative_lteCritical SQL injection in study form handling.Restrict public access and apply vendor fix.
CVE-2026-8406openSIS Classic 9.3Messaging module object authorization issue.Apply upstream fix and audit message access.
CVE-2026-12131CodeAstro Human Resource Management System 1.0Payroll invoice SQL injection risk.Restrict the payroll module, patch, and review invoice/database logs.
CVE-2026-12183BUK TS-G Gas Station Automation SystemCritical authentication weakness in Linux system configuration handling.Remove public access, apply vendor update, and review administrative/config changes.

What to check first

find /var/www -maxdepth 4 -iname "clipbucket*" -o -iname "opensis*" -o -iname "*thaipalliative*" -o -iname "*human-resource*" -o -iname "*hrms*" -o -iname "*buk*" -o -iname "*ts-g*"
find /var/www -maxdepth 5 -iname ".env" -o -iname "config.php" | head -50
grep -R "ClipBucket\\|openSIS\\|thaipalliative\\|Payroll\\|Human Resource\\|BUK\\|TS-G" /etc/nginx /etc/apache2 2>/dev/null

If the app is public and unpatched, put it behind access control while you back up the database and application files. Do not delete logs before checking whether data or accounts changed.

Compromise review

  • Unexpected administrator, uploader, student, staff, or healthcare operator accounts.
  • Database errors, slow queries, or unusual reads around media, form, messaging, payroll, or invoice routes.
  • New PHP files in upload, cache, media, subtitle, or temporary directories.
  • Changed payment, payroll, email, notification, upload, terminal, fuel, or system configuration settings.

Ping7 repair path

Ping7 can review exposed PHP apps, patch state, web logs, database logs, upload directories, and admin accounts. Use CVE Repair if the site contains customer, patient, student, payroll, or paid media data.

References