Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remotely reachable admin API with low complexity and no user interaction, but requires an existing delegated-admin account (PR:L); full SuperAdmin takeover gives high C/I/A within the same instance (S:U).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER_ADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and attacker-chosen credentials to create a SuperAdmin account, then authenticate as that account to achieve full instance takeover.
AnalysisAI
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already possess an authenticated phpMyFAQ administrator account carrying the USER_ADD/EDIT/DELETE permissions (a delegated, non-SuperAdmin role) and network access to the /admin API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network reachability, low attack complexity, no user interaction, and high impact to confidentiality, integrity, and availability, gated only by PR:L - the attacker must already hold a delegated admin account with user-management permissions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or help-desk operator granted a delegated phpMyFAQ admin role with user-management rights sends a single authenticated POST to /admin/api/user/add with isSuperAdmin set to true and a username/password they control. The server creates the SuperAdmin account without checking the caller's own tier, and the attacker logs in with those credentials to gain full control of the instance, its content, and its stored user data. … |
| Remediation | Upgrade to phpMyFAQ 4.1.5 or later, which adds the missing SuperAdmin authorization check on the user/add endpoint (Vendor-released patch: 4.1.5); see the GitHub Security Advisory GHSA-r2f4-v277-hvw9 at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-r2f4-v277-hvw9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all phpMyFAQ deployments, confirm installed versions, and immediately restrict network access to the /admin/api/user/add endpoint to a minimal set of trusted administrators using firewall or reverse-proxy rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44632
GHSA-26xw-7hf2-f34q