thorsten/phpmyfaq Security Advisories for 4.1.2 (7)
-
[HIGH] phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards
PKSA-bgmm-r5q1-dvfj GHSA-985r-q3qp-299h
Affected version: <=4.1.3
Reported by:
GitHub -
[MEDIUM] phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
PKSA-wn7x-tbkv-cqqp CVE-2026-49205 GHSA-8c6h-7g6x-m5x4
Affected version: <4.1.4
Reported by:
GitHub -
[LOW] phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
PKSA-p1ky-vdyf-6r6j CVE-2026-48488 GHSA-58fg-62fg-3fcj
Affected version: <=4.1.3
Reported by:
GitHub -
[HIGH] phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration
PKSA-x1b3-f9q9-1brm CVE-2026-35675 GHSA-w9xh-5f39-vq89
Affected version: <4.1.3
Reported by:
GitHub -
[HIGH] phpMyFAQ: Default Empty API Token Authentication Bypass
PKSA-jk8b-rmby-gztg CVE-2026-35672 GHSA-gp95-j463-vv28
Affected version: <=4.1.2
Reported by:
GitHub -
[HIGH] phpMyFAQ: IDOR Account Takeover
PKSA-ttcw-fg74-jv2w CVE-2026-35671 GHSA-xvp4-phqj-cjr3
Affected version: <4.1.3
Reported by:
GitHub -
[HIGH] phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation
PKSA-64xv-jbdm-pg2q CVE-2026-35676 GHSA-9qv9-8xv6-5p35
Affected version: <4.1.3
Reported by:
GitHub