thorsten/phpmyfaq Security Advisories for 4.0.12 (6)
-
[MEDIUM] phpMyFAQ: Public API endpoints expose emails and invisible questions
PKSA-2sk9-r8yw-1gc5 CVE-2026-24422 GHSA-j4rc-96xj-gvqc
Affected version: <=4.0.16
Reported by:
GitHub -
[MEDIUM] phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
PKSA-fgvt-rx8y-b52y CVE-2026-24421 GHSA-wm8h-26fv-mg7g
Affected version: <=4.0.16
Reported by:
GitHub -
[MEDIUM] phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
PKSA-mvwk-xn5v-s54b CVE-2026-24420 GHSA-7p9h-m7m8-vhhv
Affected version: <=4.0.16
Reported by:
GitHub -
[HIGH] phpMyFAQ has unauthenticated config backup download via /api/setup/backup
PKSA-w8m6-73n2-zbk6 CVE-2025-69200 GHSA-9cg9-4h4f-j6fg
Affected version: >=4.1.0-alpha,<=4.1.0-beta.2|<4.0.16
Reported by:
GitHub -
[HIGH] phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
PKSA-zh4p-vq78-zndy CVE-2025-62519 GHSA-fxm2-cmwj-qvx4
Affected version: <=4.0.13
Reported by:
GitHub -
[HIGH] phpMyFAQ duplicate email registration allows multiple accounts with the same email
PKSA-pzch-4td8-nkvb CVE-2025-59943 GHSA-9wj2-4hcm-r74j
Affected version: >=4.0.7,<4.0.13
Reported by:
GitHub