phpMyFAQ: Public API endpoints expose emails and invisible questions
Description
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyFAQ ≤4.0.16 exposes user emails and non-public content via public API endpoints due to missing access controls.
Vulnerability
Description
The phpMyFAQ application (versions 4.0.16 and earlier) contains an information disclosure vulnerability in its public API endpoints. Specifically, the OpenQuestionController::list() endpoint invokes Question::getAll() with the default parameter showAll=true, causing it to return questions that are marked as non-public (isVisible=false) along with the email addresses of the users who submitted them [1][3]. Similar issues exist in comment, news, and FAQ APIs, where sensitive data such as email addresses and private records are exposed without proper authentication checks [1].
Exploitation
The vulnerable endpoints are publicly accessible and require no authentication. An attacker can simply make a GET request to /api/v3.0/open-questions (or similar paths) to retrieve the exposed data [3]. The official proof-of-concept demonstrates that a simple curl command suffices to extract email addresses and hidden content [3]. No special privileges or network position are needed; the attack can be carried out remotely over the internet.
Impact
This vulnerability enables attackers to harvest email addresses for phishing campaigns or to scrape content that administrators intended to be private. The exposure of internal or unanswered questions could also reveal sensitive business information. The overall impact is a breach of user privacy and potential facilitation of social engineering attacks [1][3].
Mitigation
The issue has been addressed in phpMyFAQ version 4.0.17 [1]. Users are strongly advised to upgrade to this latest version to prevent unauthorized access to sensitive API data.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
thorsten/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
Affected products
2- Range: <=4.0.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-j4rc-96xj-gvqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24422ghsaADVISORY
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.