Skip to main content

phpMyFAQ EUVDEUVD-2026-44632

| CVE-2026-57996 HIGH
Improper Privilege Management (CWE-269)
2026-07-15 VulnCheck GHSA-26xw-7hf2-f34q
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Remotely reachable admin API with low complexity and no user interaction, but requires an existing delegated-admin account (PR:L); full SuperAdmin takeover gives high C/I/A within the same instance (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:27 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
HIGH 8.7

DescriptionCVE.org

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER_ADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and attacker-chosen credentials to create a SuperAdmin account, then authenticate as that account to achieve full instance takeover.

AnalysisAI

Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as delegated admin with USER_ADD rights
Delivery
POST /admin/api/user/add with isSuperAdmin:true
Exploit
Bypass missing SuperAdmin guard
Execution
Create attacker SuperAdmin account
Persist
Log in as new SuperAdmin
Impact
Full instance takeover

Vulnerability AssessmentAI

Exploitation The attacker must already possess an authenticated phpMyFAQ administrator account carrying the USER_ADD/EDIT/DELETE permissions (a delegated, non-SuperAdmin role) and network access to the /admin API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network reachability, low attack complexity, no user interaction, and high impact to confidentiality, integrity, and availability, gated only by PR:L - the attacker must already hold a delegated admin account with user-management permissions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or help-desk operator granted a delegated phpMyFAQ admin role with user-management rights sends a single authenticated POST to /admin/api/user/add with isSuperAdmin set to true and a username/password they control. The server creates the SuperAdmin account without checking the caller's own tier, and the attacker logs in with those credentials to gain full control of the instance, its content, and its stored user data. …
Remediation Upgrade to phpMyFAQ 4.1.5 or later, which adds the missing SuperAdmin authorization check on the user/add endpoint (Vendor-released patch: 4.1.5); see the GitHub Security Advisory GHSA-r2f4-v277-hvw9 at https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-r2f4-v277-hvw9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all phpMyFAQ deployments, confirm installed versions, and immediately restrict network access to the /admin/api/user/add endpoint to a minimal set of trusted administrators using firewall or reverse-proxy rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

EUVD-2026-44632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy