Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.
AnalysisAI
{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.
Technical ContextAI
phpMyFAQ is an open-source PHP-based FAQ management application (CPE cpe:2.3:a:thorsten:phpmyfaq) that supports per-user and per-group access control on FAQ entries. The root cause is CWE-863 (Incorrect Authorization): the Faq::getIdFromSolutionId() method at phpmyfaq/src/phpMyFAQ/Faq.php:1312 issues a SQL query joining faqdata with faqcategoryrelations using only solution_id as the predicate, with no permission/group/user filter. The companion getFaqBySolutionId() at line 1221 contains an explicit fallback query annotated 'for tests' that also bypasses permission checks, widening the blast radius to any callsite trusting that result. The FaqController route /solution_id_{solutionId}.html consumes the unfiltered data and emits a 301 redirect whose Location header embeds the FAQ's category ID, internal ID, language, and title slug, and the resulting page exposes the same metadata via canonical links, share-to-social URLs, and hidden form fields.
RemediationAI
Vendor-released patch: upgrade phpMyFAQ to 4.1.2 or later, which adds permission filtering to getIdFromSolutionId() and the getFaqBySolutionId() fallback path; Composer users should run 'composer update thorsten/phpmyfaq' to pull >=4.1.2 as documented in GHSA-99qv-g4x9-mgc3. If patching cannot be done immediately, block or restrict access to the /solution_id_{id}.html route at the reverse proxy or web server level (e.g., nginx location block or Apache <Location> deny), accepting the trade-off that legitimate solution-ID-based deep links will return 403 or 404. Alternatively, require authentication for that route via the proxy, which prevents anonymous enumeration but breaks public-content workflows that rely on solution IDs being publicly reachable; rate-limiting sequential integer requests at the WAF is a weaker mitigation since the impact is per-ID rather than volumetric. Review server access logs for sequential scans of /solution_id_* paths to detect prior enumeration.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30602
GHSA-cqrw-j4qc-7f9w