CVE Search Engine - Security Vulnerabilities and Exploits Search Tool | Vulners.com

🔥 Daily Hot!

💪🏽 CPE Enhanced Advisories

🕶 Shadow Exploits

🕵🏼 Vulners CPE

🔐 Security news

💻 Exploit updates

📑 Blogs review

🐧 Linux vulnerabilities

🤖 AI High Score

show all

1756 matches found

Cvelist•added 2026/05/15 6:36 p.m.•29 views

CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.7CVSS0.00033EPSS

Exploits0References2

EUVD•added 2026/05/15 6:36 p.m.•4 views

EUVD-2026-30594

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00033EPSS

Exploits0References2

CVE•added 2026/05/15 6:36 p.m.•8 views

CVE-2026-46359

CVE-2026-46359 (phpMyFAQ) affects phpMyFAQ prior to 4.1.2. A SQL injection exists in CurrentUser::setTokenData, allowing authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or J...

7.7CVSS6.1AI score0.00033EPSS

Exploits0References2

ATTACKERKB•added 2026/05/15 6:36 p.m.•4 views

CVE-2026-46359

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00033EPSS

Exploits0References3

Vulnrichment•added 2026/05/15 6:36 p.m.•4 views

CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.7CVSS6.1AI score0.00033EPSS

Exploits0References2

Cvelist•added 2026/05/15 6:36 p.m.•27 views

CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS0.00146EPSS

Exploits0References2

ATTACKERKB•added 2026/05/15 6:36 p.m.•2 views

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.1CVSS6AI score0.00146EPSS

Exploits0References3

CVE•added 2026/05/15 6:36 p.m.•5 views

CVE-2026-45010

CVE-2026-45010 affects phpMyFAQ before 4.1.2. The /admin/check endpoint improperly restricts authentication attempts, accepting arbitrary user-id parameters without session binding or rate limiting. This enables unauthenticated attackers to brute-force any user’s six-digit TOTP code by submitting...

9.3CVSS6AI score0.00146EPSS

Exploits0References2

Vulnrichment•added 2026/05/15 6:36 p.m.•4 views

CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS6AI score0.00146EPSS

Exploits0References2

EUVD•added 2026/05/15 6:36 p.m.•5 views

EUVD-2026-30595

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.1CVSS6AI score0.00146EPSS

Exploits0References2

Vulnrichment•added 2026/05/15 6:36 p.m.•6 views

CVE-2026-45009 phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

5.3CVSS5.8AI score0.00028EPSS

Exploits0References2

Cvelist•added 2026/05/15 6:36 p.m.•27 views

CVE-2026-45009 phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

5.3CVSS0.00028EPSS

Exploits0References2

ATTACKERKB•added 2026/05/15 6:36 p.m.•4 views

CVE-2026-45009

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

4.3CVSS5.8AI score0.00028EPSS

Exploits0References3Affected Software1

EUVD•added 2026/05/15 6:36 p.m.•5 views

EUVD-2026-30592

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

4.3CVSS5.8AI score0.00028EPSS

Exploits0References2

CVE•added 2026/05/15 6:36 p.m.•7 views

CVE-2026-45009

CVE-2026-45009 affects phpMyFAQ prior to 4.1.2. The issue is an insufficient authorization check in admin-api routes, allowing authenticated ordinary users to access administrative endpoints without verifying backend privileges. This can expose sensitive backend information such as dashboard vers...

5.3CVSS5.8AI score0.00028EPSS

Exploits0References2

Vulnrichment•added 2026/05/15 6:36 p.m.•4 views

CVE-2026-45008 phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCEDELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../ in the client URL parameter to recursively delete...

7CVSS5.9AI score0.00048EPSS

Exploits0References2

Cvelist•added 2026/05/15 6:36 p.m.•27 views

CVE-2026-45008 phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCEDELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../ in the client URL parameter to recursively delete...

7CVSS0.00048EPSS

Exploits0References2

ATTACKERKB•added 2026/05/15 6:36 p.m.•5 views

CVE-2026-45008

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCEDELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../ in the client URL parameter to recursively delete...

6.5CVSS5.9AI score0.00048EPSS

Exploits0References3

CVE•added 2026/05/15 6:36 p.m.•8 views

CVE-2026-45008

CVE-2026-45008 affects phpMyFAQ up to version 4.1.2 and describes a path traversal vulnerability in the Client::deleteClientFolder function. An admin with INSTANCE_DELETE permission can submit a crafted client URL parameter (for example using sequences like ../../../) to traverse outside the inte...

7CVSS5.9AI score0.00048EPSS

Exploits0References2

EUVD•added 2026/05/15 6:36 p.m.•5 views

EUVD-2026-30593

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCEDELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../ in the client URL parameter to recursively delete...

6.5CVSS5.9AI score0.00048EPSS

Exploits0References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by