Moderate severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026
phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
CVE-2026-24420
Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
thorsten/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
Affected products
2- ghsa-coords2 versions
< 4.0.17+ 1 more
- (no CPE)range: < 4.0.17
- (no CPE)range: < 4.0.17
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7p9h-m7m8-vhhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24420ghsaADVISORY
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.