{"url":"http://public2.vulnerablecode.io/api/packages/932214?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC","type":"composer","namespace":"phpmyfaq","name":"phpmyfaq","version":"4.1.0-RC","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.1.3","latest_non_vulnerable_version":"4.1.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68252?format=json","vulnerability_id":"VCID-1qwx-htn1-4bg8","summary":"phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46364","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.2036","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46364"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46364","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46364"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/commit/b9f25109fddb38eee19987183798638d07943f92","reference_id":"b9f25109fddb38eee19987183798638d07943f92","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-15T22:11:13Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/commit/b9f25109fddb38eee19987183798638d07943f92"},{"reference_url":"https://github.com/advisories/GHSA-289f-fq7w-6q2w","reference_id":"GHSA-289f-fq7w-6q2w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-289f-fq7w-6q2w"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w","reference_id":"GHSA-289f-fq7w-6q2w","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-15T22:11:13Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-289f-fq7w-6q2w"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha","reference_id":"phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-15T22:11:13Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-via-user-agent-header-in-builtincaptcha"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46364","GHSA-289f-fq7w-6q2w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1qwx-htn1-4bg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359183?format=json","vulnerability_id":"VCID-2na9-t3m7-wfhn","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34729","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16466","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34729"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34729","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34729"},{"reference_url":"https://github.com/advisories/GHSA-cv2g-8cj8-vgc7","reference_id":"GHSA-cv2g-8cj8-vgc7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cv2g-8cj8-vgc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373458?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-426v-vz22-nqem"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-n3tn-cpf3-5qe2"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.1"}],"aliases":["CVE-2026-34729","GHSA-cv2g-8cj8-vgc7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2na9-t3m7-wfhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68191?format=json","vulnerability_id":"VCID-5pw3-qxh6-6ufr","summary":"phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46366","reference_id":"","reference_type":"","scores":[{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23355","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46366"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46366","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46366"},{"reference_url":"https://github.com/advisories/GHSA-99qv-g4x9-mgc3","reference_id":"GHSA-99qv-g4x9-mgc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-99qv-g4x9-mgc3"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3","reference_id":"GHSA-99qv-g4x9-mgc3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:16:45Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass","reference_id":"phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:16:45Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46366","GHSA-99qv-g4x9-mgc3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pw3-qxh6-6ufr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68138?format=json","vulnerability_id":"VCID-7tpb-1avq-zfhu","summary":"phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46361","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01337","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46361"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46361","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46361"},{"reference_url":"https://github.com/advisories/GHSA-pqh6-8fxf-jx22","reference_id":"GHSA-pqh6-8fxf-jx22","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pqh6-8fxf-jx22"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pqh6-8fxf-jx22","reference_id":"GHSA-pqh6-8fxf-jx22","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-16T01:17:36Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pqh6-8fxf-jx22"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-cross-site-scripting-via-raw-filter-in-search-twig","reference_id":"phpmyfaq-stored-cross-site-scripting-via-raw-filter-in-search-twig","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-16T01:17:36Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-cross-site-scripting-via-raw-filter-in-search-twig"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46361","GHSA-pqh6-8fxf-jx22"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7tpb-1avq-zfhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69892?format=json","vulnerability_id":"VCID-8k51-budg-h3ak","summary":"phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /admin/api/configuration endpoints, violating least privilege access control.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45007","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.01076","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45007"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45007","reference_id":"CVE-2026-45007","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45007"},{"reference_url":"https://github.com/advisories/GHSA-rm98-82fr-mcfx","reference_id":"GHSA-rm98-82fr-mcfx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rm98-82fr-mcfx"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-rm98-82fr-mcfx","reference_id":"GHSA-rm98-82fr-mcfx","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-16T01:16:25Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-rm98-82fr-mcfx"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-missing-permission-check-on-12-configuration-api-endpoints-allows-information-disclosure","reference_id":"phpmyfaq-missing-permission-check-on-12-configuration-api-endpoints-allows-information-disclosure","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-16T01:16:25Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-missing-permission-check-on-12-configuration-api-endpoints-allows-information-disclosure"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-45007","GHSA-rm98-82fr-mcfx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8k51-budg-h3ak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74950?format=json","vulnerability_id":"VCID-a9tb-yj7x-pya1","summary":"phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', \", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34728","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25492","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34728"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34728","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34728"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1","reference_id":"4.1.1","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:23:57Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"},{"reference_url":"https://github.com/advisories/GHSA-38m8-xrfj-v38x","reference_id":"GHSA-38m8-xrfj-v38x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-38m8-xrfj-v38x"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x","reference_id":"GHSA-38m8-xrfj-v38x","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:23:57Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373458?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-426v-vz22-nqem"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-n3tn-cpf3-5qe2"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.1"}],"aliases":["CVE-2026-34728","GHSA-38m8-xrfj-v38x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a9tb-yj7x-pya1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68143?format=json","vulnerability_id":"VCID-ecpv-3xqn-eqf8","summary":"phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46360","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08901","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46360"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46360","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46360"},{"reference_url":"https://github.com/advisories/GHSA-whqh-9pq5-c7r3","reference_id":"GHSA-whqh-9pq5-c7r3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-whqh-9pq5-c7r3"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3","reference_id":"GHSA-whqh-9pq5-c7r3","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:15:56Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-whqh-9pq5-c7r3"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-entity-decoding-depth-limit-bypass-in-svg-sanitizer","reference_id":"phpmyfaq-stored-xss-via-entity-decoding-depth-limit-bypass-in-svg-sanitizer","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:15:56Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-via-entity-decoding-depth-limit-bypass-in-svg-sanitizer"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46360","GHSA-whqh-9pq5-c7r3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ecpv-3xqn-eqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359156?format=json","vulnerability_id":"VCID-qhsm-g24v-k7gj","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32629","reference_id":"","reference_type":"","scores":[{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41566","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32629"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32629","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32629"},{"reference_url":"https://github.com/advisories/GHSA-98gw-w575-h2ph","reference_id":"GHSA-98gw-w575-h2ph","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-98gw-w575-h2ph"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373458?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-426v-vz22-nqem"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-n3tn-cpf3-5qe2"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.1"}],"aliases":["CVE-2026-32629","GHSA-98gw-w575-h2ph"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhsm-g24v-k7gj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69871?format=json","vulnerability_id":"VCID-rrz3-kbbd-eyhq","summary":"phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45010","reference_id":"","reference_type":"","scores":[{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41063","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45010"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45010","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45010"},{"reference_url":"https://github.com/advisories/GHSA-9pq7-mfwh-xx2j","reference_id":"GHSA-9pq7-mfwh-xx2j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9pq7-mfwh-xx2j"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j","reference_id":"GHSA-9pq7-mfwh-xx2j","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-15T22:11:39Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint","reference_id":"phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-15T22:11:39Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-45010","GHSA-9pq7-mfwh-xx2j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrz3-kbbd-eyhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68194?format=json","vulnerability_id":"VCID-tpbv-urbk-h7gf","summary":"phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46359","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10098","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46359"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46359","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46359"},{"reference_url":"https://github.com/advisories/GHSA-pm8c-3qq3-72w7","reference_id":"GHSA-pm8c-3qq3-72w7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pm8c-3qq3-72w7"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7","reference_id":"GHSA-pm8c-3qq3-72w7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T21:12:51Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pm8c-3qq3-72w7"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields","reference_id":"phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T21:12:51Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-sql-injection-in-currentuser-settokendata-via-unescaped-oauth-token-fields"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46359","GHSA-pm8c-3qq3-72w7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tpbv-urbk-h7gf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69890?format=json","vulnerability_id":"VCID-txxg-bugj-6bd4","summary":"phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45008","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.1536","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45008"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45008","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45008"},{"reference_url":"https://github.com/advisories/GHSA-gh9p-q46p-57g2","reference_id":"GHSA-gh9p-q46p-57g2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gh9p-q46p-57g2"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2","reference_id":"GHSA-gh9p-q46p-57g2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T16:05:19Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gh9p-q46p-57g2"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter","reference_id":"phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T16:05:19Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-path-traversal-in-client-deleteclientfolder-via-url-parameter"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-45008","GHSA-gh9p-q46p-57g2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txxg-bugj-6bd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68157?format=json","vulnerability_id":"VCID-vjqh-59nn-5ude","summary":"phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46363","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08901","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46363"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46363","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46363"},{"reference_url":"https://github.com/advisories/GHSA-f5p7-2c9q-8896","reference_id":"GHSA-f5p7-2c9q-8896","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f5p7-2c9q-8896"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896","reference_id":"GHSA-f5p7-2c9q-8896","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:01:20Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-f5p7-2c9q-8896"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass","reference_id":"phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T20:01:20Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-stored-xss-in-faq-question-answer-via-encode-decode-bypass"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46363","GHSA-f5p7-2c9q-8896"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vjqh-59nn-5ude"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360347?format=json","vulnerability_id":"VCID-yckn-74u4-pkaw","summary":"phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags\n## Summary\n\nThe `TagController::delete()` endpoint at `DELETE /admin/api/content/tags/{tagId}` only verifies that the user is logged in (`userIsAuthenticated()`), but does not check any permission. Any authenticated user — including regular non-admin frontend users — can delete any tag by ID. This contrasts with `TagController::update()` and `TagController::search()`, which both enforce the `FAQ_EDIT` permission.\n\n## Details\n\nIn `phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/TagController.php`, the `delete()` method (line 121-133) uses only `$this->userIsAuthenticated()`:\n\n```php\n#[Route(path: 'content/tags/{tagId}', name: 'admin.api.content.tags.id', methods: ['DELETE'])]\npublic function delete(Request $request): JsonResponse\n{\n    $this->userIsAuthenticated();  // Only checks isLoggedIn() — no permission check\n\n    $tagId = (int) Filter::filterVar($request->attributes->get('tagId'), FILTER_VALIDATE_INT);\n\n    if ($this->tags->delete($tagId)) {\n        return $this->json(['success' => Translation::get(key: 'ad_tag_delete_success')], Response::HTTP_OK);\n    }\n\n    return $this->json(['error' => Translation::get(key: 'ad_tag_delete_error')], Response::HTTP_BAD_REQUEST);\n}\n```\n\nCompare with `update()` (line 48-71) which properly enforces authorization:\n\n```php\npublic function update(Request $request): JsonResponse\n{\n    $this->userHasPermission(PermissionType::FAQ_EDIT);  // Proper permission check\n    // ... also verifies CSRF token ...\n}\n```\n\nThe `userIsAuthenticated()` method in `AbstractController` (line 258-263) only checks `$this->currentUser->isLoggedIn()`:\n\n```php\nprotected function userIsAuthenticated(): void\n{\n    if (!$this->currentUser->isLoggedIn()) {\n        throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');\n    }\n}\n```\n\nThere is no admin-level middleware in the `Kernel` — it registers only RouterListener, LanguageListener, ControllerContainerListener, and exception listeners. The admin API entry point (`admin/api/index.php`) shares the same bootstrap and session as the frontend, meaning a frontend user's session cookie is valid for admin API requests.\n\nAdditionally, this endpoint lacks CSRF token verification (unlike `update()`), though the primary issue is the missing authorization since the attack vector is a logged-in user acting directly.\n\n## PoC\n\n```bash\n# Step 1: Register as a regular user on the phpMyFAQ frontend\n# (or use any existing non-admin authenticated session)\n\n# Step 2: As the authenticated non-admin user, delete tag with ID 1:\ncurl -X DELETE 'https://target.com/admin/api/content/tags/1' \\\n  -H 'Cookie: PHPSESSID=<regular_user_session>'\n\n# Expected: 401 or 403 (user lacks FAQ_EDIT permission)\n# Actual: 200 OK with {\"success\": \"...\"}\n\n# Step 3: Enumerate and delete all tags:\nfor i in $(seq 1 100); do\n  curl -s -X DELETE \"https://target.com/admin/api/content/tags/$i\" \\\n    -H 'Cookie: PHPSESSID=<regular_user_session>'\ndone\n```\n\n## Impact\n\nAny authenticated user (including regular frontend users who registered through the public registration form) can delete all tags in the phpMyFAQ instance. This results in:\n\n- **Data integrity loss:** Tags are permanently deleted from the database. All FAQ-to-tag associations are destroyed.\n- **Disruption of FAQ organization:** Tag-based navigation, filtering, and tag clouds become empty or broken.\n- **No recoverability without backup:** Deleted tags and their associations cannot be restored without a database backup.\n\nThe impact is limited to tags (not FAQ content itself), but in large installations with extensive tag taxonomies, this could significantly degrade usability.\n\n## Recommended Fix\n\nAdd the `FAQ_EDIT` permission check and CSRF token verification to `TagController::delete()`, consistent with `TagController::update()`:\n\n```php\n#[Route(path: 'content/tags/{tagId}', name: 'admin.api.content.tags.id', methods: ['DELETE'])]\npublic function delete(Request $request): JsonResponse\n{\n    $this->userHasPermission(PermissionType::FAQ_EDIT);\n\n    $tagId = (int) Filter::filterVar($request->attributes->get('tagId'), FILTER_VALIDATE_INT);\n\n    if ($this->tags->delete($tagId)) {\n        return $this->json(['success' => Translation::get(key: 'ad_tag_delete_success')], Response::HTTP_OK);\n    }\n\n    return $this->json(['error' => Translation::get(key: 'ad_tag_delete_error')], Response::HTTP_BAD_REQUEST);\n}\n```\n\nAt minimum, add `$this->userHasPermission(PermissionType::FAQ_EDIT)` to enforce the same authorization as the update and search endpoints. Consider also adding a dedicated `TAG_DELETE` permission type for more granular access control.","references":[{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://github.com/advisories/GHSA-7cx3-2qx2-3g6w","reference_id":"GHSA-7cx3-2qx2-3g6w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7cx3-2qx2-3g6w"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7cx3-2qx2-3g6w","reference_id":"GHSA-7cx3-2qx2-3g6w","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7cx3-2qx2-3g6w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["GHSA-7cx3-2qx2-3g6w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yckn-74u4-pkaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68203?format=json","vulnerability_id":"VCID-zr1w-jzzj-a7gd","summary":"phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46362","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14909","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46362"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46362","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46362"},{"reference_url":"https://github.com/advisories/GHSA-hpgw-ww76-c68r","reference_id":"GHSA-hpgw-ww76-c68r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hpgw-ww76-c68r"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hpgw-ww76-c68r","reference_id":"GHSA-hpgw-ww76-c68r","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T16:06:31Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hpgw-ww76-c68r"},{"reference_url":"https://www.vulncheck.com/advisories/phpmyfaq-authorization-bypass-in-admin-pages-via-non-terminating-permission-check","reference_id":"phpmyfaq-authorization-bypass-in-admin-pages-via-non-terminating-permission-check","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T16:06:31Z/"}],"url":"https://www.vulncheck.com/advisories/phpmyfaq-authorization-bypass-in-admin-pages-via-non-terminating-permission-check"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41355?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mdxy-3bhf-6ybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.2"}],"aliases":["CVE-2026-46362","GHSA-hpgw-ww76-c68r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zr1w-jzzj-a7gd"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83111?format=json","vulnerability_id":"VCID-57ev-2w6v-mbbs","summary":"phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24421","reference_id":"","reference_type":"","scores":[{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50358","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24421"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52523.txt","reference_id":"CVE-2026-24421","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52523.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24421","reference_id":"CVE-2026-24421","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24421"},{"reference_url":"https://github.com/advisories/GHSA-wm8h-26fv-mg7g","reference_id":"GHSA-wm8h-26fv-mg7g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wm8h-26fv-mg7g"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g","reference_id":"GHSA-wm8h-26fv-mg7g","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-26T16:14:22Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38148?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.0.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.0.17"},{"url":"http://public2.vulnerablecode.io/api/packages/932214?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-2na9-t3m7-wfhn"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-a9tb-yj7x-pya1"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-qhsm-g24v-k7gj"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC"}],"aliases":["CVE-2026-24421","GHSA-wm8h-26fv-mg7g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-57ev-2w6v-mbbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83252?format=json","vulnerability_id":"VCID-6jmj-n5mz-bba8","summary":"phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24420","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03833","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24420"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24420","reference_id":"CVE-2026-24420","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24420"},{"reference_url":"https://github.com/advisories/GHSA-7p9h-m7m8-vhhv","reference_id":"GHSA-7p9h-m7m8-vhhv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7p9h-m7m8-vhhv"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv","reference_id":"GHSA-7p9h-m7m8-vhhv","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-26T15:00:41Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38148?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.0.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.0.17"},{"url":"http://public2.vulnerablecode.io/api/packages/932214?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-2na9-t3m7-wfhn"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-a9tb-yj7x-pya1"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-qhsm-g24v-k7gj"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC"}],"aliases":["CVE-2026-24420","GHSA-7p9h-m7m8-vhhv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6jmj-n5mz-bba8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83223?format=json","vulnerability_id":"VCID-p68j-sbvd-yuh4","summary":"phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24422","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06201","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24422"},{"reference_url":"https://github.com/thorsten/phpMyFAQ","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/thorsten/phpMyFAQ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24422","reference_id":"CVE-2026-24422","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24422"},{"reference_url":"https://github.com/advisories/GHSA-j4rc-96xj-gvqc","reference_id":"GHSA-j4rc-96xj-gvqc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4rc-96xj-gvqc"},{"reference_url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc","reference_id":"GHSA-j4rc-96xj-gvqc","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-26T14:57:47Z/"}],"url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38148?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.0.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.0.17"},{"url":"http://public2.vulnerablecode.io/api/packages/932214?format=json","purl":"pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qwx-htn1-4bg8"},{"vulnerability":"VCID-2na9-t3m7-wfhn"},{"vulnerability":"VCID-5pw3-qxh6-6ufr"},{"vulnerability":"VCID-7tpb-1avq-zfhu"},{"vulnerability":"VCID-8k51-budg-h3ak"},{"vulnerability":"VCID-a9tb-yj7x-pya1"},{"vulnerability":"VCID-ecpv-3xqn-eqf8"},{"vulnerability":"VCID-qhsm-g24v-k7gj"},{"vulnerability":"VCID-rrz3-kbbd-eyhq"},{"vulnerability":"VCID-tpbv-urbk-h7gf"},{"vulnerability":"VCID-txxg-bugj-6bd4"},{"vulnerability":"VCID-vjqh-59nn-5ude"},{"vulnerability":"VCID-yckn-74u4-pkaw"},{"vulnerability":"VCID-zr1w-jzzj-a7gd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC"}],"aliases":["CVE-2026-24422","GHSA-j4rc-96xj-gvqc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p68j-sbvd-yuh4"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpmyfaq/phpmyfaq@4.1.0-RC"}