High severityOSV Advisory· Published Dec 29, 2025· Updated Dec 29, 2025
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
CVE-2025-69200
Description
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 4.0.16 | 4.0.16 |
thorsten/phpmyfaqPackagist | >= 4.1.0-alpha, <= 4.1.0-beta.2 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9cg9-4h4f-j6fgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69200ghsaADVISORY
- github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29aghsax_refsource_MISCWEB
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.