Is PHP affected by CVE-2026-24420?

Organizations using phpMyFAQ should be aware of notable risk from CVE-2026-24420, a improper access control vulnerability rated CVSS 6.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

CVE-2026-24420

MEDIUM

2026-01-24 [email protected]

GHSA-7p9h-m7m8-vhhv

6.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:59 vuln.today

PoC Detected

Jan 28, 2026 - 18:25 vuln.today

Public exploit code

CVE Published

Jan 24, 2026 - 03:16 nvd

MEDIUM 6.5

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

Analysis

Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. …

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +32

POC: +20

CVE-2026-24420 vulnerability details – vuln.today

Back

CVE-2026-24420

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-24420

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code