CVE-2026-46363

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

CVE-2026-46360

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

CVE-2026-45009

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

CVE-2026-45007

phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated instead of userHasPermissionCONFIGURATIONEDIT. Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail...

CVE-2026-45008

phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCEDELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../ in the client URL parameter to recursively delete...

EUVD-2026-30578

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46367

phpMyFAQ prior to version 4.1.2 has a stored XSS vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, potentially stealing admin session cookies and achievin...

CVE-2026-46367 phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46367

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46367 phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

CVE-2026-46366 phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypass

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solutionidid.html endpoint. Attackers can sequentially...

EUVD-2026-30602

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solutionidid.html endpoint. Attackers can sequentially...

CVE-2026-46366

CVE-2026-46366 affects phpMyFAQ before 4.1.2. An information disclosure vulnerability exists in getIdFromSolutionId() that does not enforce permissions, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers ...

CVE-2026-46366 phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypass

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solutionidid.html endpoint. Attackers can sequentially...

CVE-2026-46365

This CVE affects phpMyFAQ prior to 4.1.2, where a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint allows any authenticated user (including regular frontend users) to delete arbitrary tags by sending a DELETE with a valid session cookie, causing permanent...

CVE-2026-46365 phpMyFAQ - Missing Authorization in Tag Deletion Endpoint

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/tagId endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid...

EUVD-2026-30600

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/tagId endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid...

CVE-2026-46365

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/tagId endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid...

CVE-2026-46365 phpMyFAQ - Missing Authorization in Tag Deletion Endpoint

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/tagId endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid...