VYPR
Moderate severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026

phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

CVE-2026-24420

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyfaq/phpmyfaqPackagist
< 4.0.174.0.17
thorsten/phpmyfaqPackagist
< 4.0.174.0.17

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.

CVE-2026-24420 · moderate · VYPR