VYPR
Medium severity4.3NVD Advisory· Published May 15, 2026· Updated May 28, 2026

CVE-2026-45007

CVE-2026-45007

Description

phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /admin/api/configuration endpoints, violating least privilege access control.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 4.1.24.1.2
phpmyfaq/phpmyfaqPackagist
< 4.1.24.1.2

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.