CVE-2026-24422 phpMyFAQ: Public API endpoints expose emails and invisible questions

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

CVE-2026-24422

Summary: CVE-2026-24422 affects phpMyFAQ prior to 4.0.17, where public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() uses Question::getAll() with showAll=true by default, returning non-public records (isVisible=f...

CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

CVE-2026-24420

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

EUVD-2026-4259

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

CVE-2026-24420

phpMyFAQ vulnerability CVE-2026-24420 affects versions 4.0.16 and older, where an authenticated user lacking the dlattachment right can download attachments due to a flawed permissions check in attachment.php. The access decision incorrectly treats the mere presence of a permission key as authori...

CVE-2026-24421

Summary: CVE-2026-24421 affects phpMyFAQ before 4.0.17. Versions 4.0.16 and earlier have flawed authorization logic that exposes the /api/setup/backup endpoint to any authenticated user. The code uses userIsAuthenticated() without verifying configuration/admin permissions, allowing non-admin user...

CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

EUVD-2026-4258

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

CVE-2026-24421

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

phpMyFAQ Access Control Vulnerability

phpMyFAQ is a multilingual, database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ 4.0.16 and earlier contained an access control vulnerability caused by insufficient permission checks. This vulnerability could allow unauthorized users to download FAQ attachments...

phpMyFAQ security vulnerabilities

phpMyFAQ is a multilingual, database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ 4.0.16 and earlier contain security vulnerabilities. These vulnerabilities stem from authorization logic flaws, which may allow non-administrative users to trigger configuration backups and...

Information Exposure

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Information Exposure via OpenQuestionController::list. An attacker can access sensitive email addresses and non-public records by sending requests to...

GHSA-J4RC-96XJ-GVQC phpMyFAQ: Public API endpoints expose emails and invisible questions

Summary Several public API endpoints return email addresses and non‑public records e.g. open questions with isVisible=false. Details OpenQuestionController::list calls Question::getAll with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in...

GHSA-WM8H-26FV-MG7G phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. Details SetupController.php uses userIsAuthenticated but does not verify that the requester has...

Improper Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Authorization via the backup endpoint in the setup API. An attacker can access sensitive configuration backups by sending authenticated request...