Main Vulnerability Database Vulnerabilities #VU130115

Incorrect authorization in phpMyFAQ - #VU130115

Published: May 5, 2026

Vulnerability identifier: #VU130115

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Thorsten Rinne

Affected software:
phpMyFAQ

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the getIdFromSolutionId() and getFaqBySolutionId() fallback query in phpmyfaq/src/phpMyFAQ/Faq.php when handling requests to solution ID lookups. A remote attacker can send requests with sequential solution IDs to disclose sensitive information.

The issue can reveal the existence of restricted FAQ entries and metadata including internal id, language, category binding, and title through redirect locations and related page metadata, even when body rendering is denied by a separate permission check.

Remediation

Install security update from vendor's website.

Sources

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3

Incorrect authorization in phpMyFAQ - #VU130115

Detailed vulnerability description

Remediation

Sources

Please verify you're human