Packagist (Composer) package
thorsten/phpmyfaq
pkg:composer/thorsten/phpmyfaq
Vulnerabilities (85)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34974 | Med | 5.4 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malic | |
| CVE-2026-34973 | Med | 5.3 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does | |
| CVE-2026-32629 | Med | 6.1 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example ""@evil.com. | |
| CVE-2026-27836 | — | < 4.0.18 | 4.0.18 | Feb 27, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers t | ||
| CVE-2026-24422 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by | ||
| CVE-2026-24420 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of author | ||
| CVE-2026-24421 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the | ||
| CVE-2025-69200 | — | < 4.0.16 | 4.0.16 | Dec 29, 2025 | phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains s | ||
| CVE-2025-68951 | — | >= 4.0.14, < 4.0.16 | 4.0.16 | Dec 29, 2025 | phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. | ||
| CVE-2023-53929 | — | <= 3.1.12 | — | Dec 17, 2025 | phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user | ||
| CVE-2025-62519 | — | < 4.0.14 | 4.0.14 | Nov 17, 2025 | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Succe | ||
| CVE-2025-59943 | — | >= 4.0.7, < 4.0.13 | 4.0.13 | Oct 3, 2025 | phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier | ||
| CVE-2024-56199 | — | >= 3.2.10, <= 4.0.1 | — | Jan 2, 2025 | phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of th | ||
| CVE-2024-55889 | — | < 3.2.10 | 3.2.10 | Dec 13, 2024 | phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interactio | ||
| CVE-2024-54141 | — | < 4.0.0 | 4.0.0 | Dec 6, 2024 | phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0. | ||
| CVE-2023-6890 | — | < 3.1.17 | 3.1.17 | Dec 16, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17. | ||
| CVE-2023-6889 | — | < 3.1.17 | 3.1.17 | Dec 16, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17. | ||
| CVE-2023-5866 | — | < 3.2.1 | 3.2.1 | Oct 31, 2023 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1. | ||
| CVE-2023-5867 | — | < 3.2.2 | 3.2.2 | Oct 31, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | ||
| CVE-2023-5865 | — | < 3.2.2 | 3.2.2 | Oct 31, 2023 | Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. |
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malic
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example ""@evil.com.
- CVE-2026-27836Feb 27, 2026affected < 4.0.18fixed 4.0.18
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers t
- CVE-2026-24422Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by
- CVE-2026-24420Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of author
- CVE-2026-24421Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the
- CVE-2025-69200Dec 29, 2025affected < 4.0.16fixed 4.0.16
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains s
- CVE-2025-68951Dec 29, 2025affected >= 4.0.14, < 4.0.16fixed 4.0.16
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities.
- CVE-2023-53929Dec 17, 2025affected <= 3.1.12
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user
- CVE-2025-62519Nov 17, 2025affected < 4.0.14fixed 4.0.14
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Succe
- CVE-2025-59943Oct 3, 2025affected >= 4.0.7, < 4.0.13fixed 4.0.13
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier
- CVE-2024-56199Jan 2, 2025affected >= 3.2.10, <= 4.0.1
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of th
- CVE-2024-55889Dec 13, 2024affected < 3.2.10fixed 3.2.10
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interactio
- CVE-2024-54141Dec 6, 2024affected < 4.0.0fixed 4.0.0
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
- CVE-2023-6890Dec 16, 2023affected < 3.1.17fixed 3.1.17
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
- CVE-2023-6889Dec 16, 2023affected < 3.1.17fixed 3.1.17
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
- CVE-2023-5866Oct 31, 2023affected < 3.2.1fixed 3.2.1
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
- CVE-2023-5867Oct 31, 2023affected < 3.2.2fixed 3.2.2
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
- CVE-2023-5865Oct 31, 2023affected < 3.2.2fixed 3.2.2
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
Page 1 of 5