CVE-2026-46365

Vulnerability

The TagController::delete() endpoint in phpMyFAQ (before version 4.1.2) at DELETE /admin/api/content/tags/{tagId} only verifies that the user is logged in via userIsAuthenticated() but does not enforce any specific permission check [1]. This contrasts with the update() and search() methods in the same controller, which properly require the FAQ_EDIT` permission [1]. The missing authorization allows any authenticated user—including regular frontend users—to delete tags by sending a DELETE request with a valid session cookie [1][2].

Exploitation

An attacker only needs a valid session cookie from any authenticated phpMyFAQ account, including a standard frontend user account. No special privileges or administrative access are required [1]. The attacker can enumerate or guess tag IDs and send a DELETE request to the vulnerable endpoint, causing permanent deletion of the specified tag [1][2].

Impact

Successful exploitation results in permanent data loss of tags and disruption of FAQ organization, as tags are used to categorize and retrieve FAQ entries [1][2]. The vulnerability has a CVSS v3 score of 5.4 (Medium) and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [2].

Mitigation

The vulnerability is fixed in phpMyFAQ version 4.1.2 [1][2]. Users should upgrade immediately. No workaround is available for earlier versions.