GHSA-8C6H-7G6X-M5X4 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermissionPermissionType::BACKUP. The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken shared API key but never call userHasPermission,...