[MEDIUM] phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

PKSA-bn6v-4n7v-4dtq CVE-2026-24420 GHSA-7p9h-m7m8-vhhv

Affected package: phpmyfaq/phpmyfaq

Affected version: <=4.0.16

Reported by:
GitHub