Packagist (Composer) package
thorsten/phpmyfaq
pkg:composer/thorsten/phpmyfaq
Vulnerabilities (89)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35676 | Hig | 8.2 | < 4.1.3 | 4.1.3 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password | |
| CVE-2026-35675 | Hig | 8.2 | < 4.1.3 | 4.1.3 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintex | |
| CVE-2026-35672 | Hig | 7.5 | < 4.1.3 | 4.1.3 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicio | |
| CVE-2026-35671 | Hig | 8.8 | < 4.1.3 | 4.1.3 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can | |
| CVE-2026-34974 | Med | 5.4 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malic | |
| CVE-2026-34973 | Med | 5.3 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does | |
| CVE-2026-32629 | Med | 6.1 | < 4.1.1 | 4.1.1 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example ""@evil.com. | |
| CVE-2026-27836 | — | < 4.0.18 | 4.0.18 | Feb 27, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers t | ||
| CVE-2026-24422 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by | ||
| CVE-2026-24420 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of author | ||
| CVE-2026-24421 | — | < 4.0.17 | 4.0.17 | Jan 24, 2026 | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the | ||
| CVE-2025-69200 | — | < 4.0.16 | 4.0.16 | Dec 29, 2025 | phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains s | ||
| CVE-2025-68951 | — | >= 4.0.14, < 4.0.16 | 4.0.16 | Dec 29, 2025 | phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. | ||
| CVE-2023-53929 | — | <= 3.1.12 | — | Dec 17, 2025 | phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user | ||
| CVE-2025-62519 | — | < 4.0.14 | 4.0.14 | Nov 17, 2025 | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Succe | ||
| CVE-2025-59943 | — | >= 4.0.7, < 4.0.13 | 4.0.13 | Oct 3, 2025 | phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier | ||
| CVE-2024-56199 | — | >= 3.2.10, <= 4.0.1 | — | Jan 2, 2025 | phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of th | ||
| CVE-2024-55889 | — | < 3.2.10 | 3.2.10 | Dec 13, 2024 | phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interactio | ||
| CVE-2024-54141 | — | < 4.0.0 | 4.0.0 | Dec 6, 2024 | phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0. | ||
| CVE-2023-6890 | — | < 3.1.17 | 3.1.17 | Dec 16, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17. |
- affected < 4.1.3fixed 4.1.3
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password
- affected < 4.1.3fixed 4.1.3
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintex
- affected < 4.1.3fixed 4.1.3
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicio
- affected < 4.1.3fixed 4.1.3
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a malic
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does
- affected < 4.1.1fixed 4.1.1
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example ""@evil.com.
- CVE-2026-27836Feb 27, 2026affected < 4.0.18fixed 4.0.18
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers t
- CVE-2026-24422Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by
- CVE-2026-24420Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of author
- CVE-2026-24421Jan 24, 2026affected < 4.0.17fixed 4.0.17
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the
- CVE-2025-69200Dec 29, 2025affected < 4.0.16fixed 4.0.16
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains s
- CVE-2025-68951Dec 29, 2025affected >= 4.0.14, < 4.0.16fixed 4.0.16
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities.
- CVE-2023-53929Dec 17, 2025affected <= 3.1.12
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user
- CVE-2025-62519Nov 17, 2025affected < 4.0.14fixed 4.0.14
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Succe
- CVE-2025-59943Oct 3, 2025affected >= 4.0.7, < 4.0.13fixed 4.0.13
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier
- CVE-2024-56199Jan 2, 2025affected >= 3.2.10, <= 4.0.1
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of th
- CVE-2024-55889Dec 13, 2024affected < 3.2.10fixed 3.2.10
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interactio
- CVE-2024-54141Dec 6, 2024affected < 4.0.0fixed 4.0.0
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
- CVE-2023-6890Dec 16, 2023affected < 3.1.17fixed 3.1.17
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
Page 1 of 5