Skip to main content

phpMyFAQ EUVDEUVD-2026-30602

| CVE-2026-46366 HIGH
Incorrect Authorization (CWE-863)
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 28, 2026 - 16:39 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:32 vuln.today
Analysis Generated
May 15, 2026 - 19:32 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.

AnalysisAI

{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.

Technical ContextAI

phpMyFAQ is an open-source PHP-based FAQ management application (CPE cpe:2.3:a:thorsten:phpmyfaq) that supports per-user and per-group access control on FAQ entries. The root cause is CWE-863 (Incorrect Authorization): the Faq::getIdFromSolutionId() method at phpmyfaq/src/phpMyFAQ/Faq.php:1312 issues a SQL query joining faqdata with faqcategoryrelations using only solution_id as the predicate, with no permission/group/user filter. The companion getFaqBySolutionId() at line 1221 contains an explicit fallback query annotated 'for tests' that also bypasses permission checks, widening the blast radius to any callsite trusting that result. The FaqController route /solution_id_{solutionId}.html consumes the unfiltered data and emits a 301 redirect whose Location header embeds the FAQ's category ID, internal ID, language, and title slug, and the resulting page exposes the same metadata via canonical links, share-to-social URLs, and hidden form fields.

RemediationAI

Vendor-released patch: upgrade phpMyFAQ to 4.1.2 or later, which adds permission filtering to getIdFromSolutionId() and the getFaqBySolutionId() fallback path; Composer users should run 'composer update thorsten/phpmyfaq' to pull >=4.1.2 as documented in GHSA-99qv-g4x9-mgc3. If patching cannot be done immediately, block or restrict access to the /solution_id_{id}.html route at the reverse proxy or web server level (e.g., nginx location block or Apache <Location> deny), accepting the trade-off that legitimate solution-ID-based deep links will return 403 or 404. Alternatively, require authentication for that route via the proxy, which prevents anonymous enumeration but breaks public-content workflows that rely on solution IDs being publicly reachable; rate-limiting sequential integer requests at the WAF is a weaker mitigation since the impact is per-ID rather than volumetric. Review server access logs for sequential scans of /solution_id_* paths to detect prior enumeration.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

EUVD-2026-30602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy