Which versions of phpMyFAQ are affected by CVE-2026-46362?

phpMyFAQ versions prior to 4.1.2 contain an authorization bypass allowing authenticated administrators to circumvent access controls and view sensitive administrative data, logs, and system…. A patch is available.

How to fix or mitigate CVE-2026-46362?

24 hours: Inventory all phpMyFAQ deployments and determine current versions. 7 days: Upgrade all instances to phpMyFAQ 4.1.2 or later and verify successful deployment. 30 days: Review administrative audit logs for unauthorized access attempts during the vulnerability window and validate that permission controls function correctly.

phpMyFAQ CVE-2026-46362

Q: What is the CVSS score of CVE-2026-46362?

CVE-2026-46362 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30599 HIGH

Incorrect Authorization (CWE-863)

2026-05-15 VulnCheck

GHSA-w9mj-gfrm-hj5x

Authentication Bypass

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 16:38 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 16:22 vuln.today

cvss_changed

Severity Changed

May 28, 2026 - 16:22 NVD

MEDIUM HIGH

CVSS changed

May 28, 2026 - 16:22 NVD

6.5 (MEDIUM) 7.1 (HIGH)

Patch available

May 15, 2026 - 20:02 EUVD

Source Code Evidence Fetched

May 15, 2026 - 19:38 vuln.today

Analysis Generated

May 15, 2026 - 19:38 vuln.today

DescriptionNVD

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

AnalysisAI

Authorization bypass in phpMyFAQ versions prior to 4.1.2 allows any authenticated administrative user to access all permission-protected admin pages, regardless of their assigned privileges. The flaw resides in AbstractAdministrationController::userHasPermission() which sends a forbidden response but fails to terminate execution, leaking admin logs, user data, system information, and configuration. …

RemediationAI

24 hours: Inventory all phpMyFAQ deployments and determine current versions. 7 days: Upgrade all instances to phpMyFAQ 4.1.2 or later and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46362 vulnerability details – vuln.today

Back

phpMyFAQ CVE-2026-46362

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

phpMyFAQ CVE-2026-46362

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code