Skip to main content

phpMyFAQ CVE-2026-46362

| EUVDEUVD-2026-30599 HIGH
Incorrect Authorization (CWE-863)
2026-05-15 VulnCheck GHSA-w9mj-gfrm-hj5x
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 16:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
May 28, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
May 28, 2026 - 16:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:38 vuln.today
Analysis Generated
May 15, 2026 - 19:38 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

AnalysisAI

Authorization bypass in phpMyFAQ versions prior to 4.1.2 allows any authenticated administrative user to access all permission-protected admin pages, regardless of their assigned privileges. The flaw resides in AbstractAdministrationController::userHasPermission() which sends a forbidden response but fails to terminate execution, leaking admin logs, user data, system information, and configuration. Publicly available exploit details exist via the GHSA advisory, though EPSS exploitation probability remains very low at 0.04%.

Technical ContextAI

phpMyFAQ is a PHP-based open-source FAQ management system (CPE cpe:2.3:a:thorsten:phpmyfaq) built on the Symfony HttpKernel framework. The root cause is CWE-863 (Incorrect Authorization): the AbstractAdministrationController overrides the parent userHasPermission() method to catch ForbiddenException and send an HTML forbidden page via Symfony Response::send(), but omits any exit(), die(), return, or exception re-throw. Because Response::send() only flushes output buffers and does not halt PHP execution, the calling controller method continues, fetching protected data and emitting a second full Response, effectively defeating the role-based access control layer entirely for any authenticated admin-area session.

RemediationAI

Vendor-released patch: upgrade phpMyFAQ to version 4.1.2 or later, available via Composer (phpmyfaq/phpmyfaq or thorsten/phpmyfaq) per the GHSA-hpgw-ww76-c68r advisory at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hpgw-ww76-c68r. If immediate upgrade is not possible, restrict admin panel access at the web server or reverse proxy layer (e.g., IP allowlist on /admin/ paths) and audit existing low-privilege admin accounts to remove any that are not strictly required; note this does not prevent abuse by any retained authenticated admin user. As an interim code-level mitigation, operators with deployment control can patch the overridden AbstractAdministrationController::userHasPermission() locally to call exit() or re-throw the ForbiddenException after sending the response, with the trade-off of diverging from upstream and complicating future updates.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

CVE-2026-46362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy