Missing Authorization in phpMyFAQ - #VU130120
Published: May 5, 2026
Vulnerability identifier: #VU130120
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Thorsten Rinne
Affected software:
phpMyFAQ
phpMyFAQ
Detailed vulnerability description
The vulnerability allows a remote user to disclose configuration metadata.
The vulnerability exists due to missing authorization in ConfigurationTabController admin API endpoints when handling authenticated requests to configuration tab endpoints. A remote user can send requests to the affected /admin/api/configuration endpoints to disclose configuration metadata.
The issue affects 12 GET endpoints and exposes details such as the permission model, active template, cache backend, mail provider, translation provider, and release environment.
Remediation
Install security update from vendor's website.