CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...