Key Vulnerability Information Severity: High (7.2/10 CVSS v3 score) CVE ID: CVE-2025-62519 Affected Package: phpMyFAQ Affected Version: 4.0.13 Patched Version: 4.0.14 Weakness: CWE-89 (SQL Injection) Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands, leading to potential full compromise of the database. Technical Details The vulnerability is in the method of . The key from user input is used unsanitized to build a SQL query string in . An attacker can craft a malicious form parameter name to break out of single quotes and inject SQL commands. Proof of Concept (PoC) Requires an authenticated user with configuration edit permissions. Involves capturing a configuration save request and modifying the request body to inject a malicious key. Confirmed successful by an internal server error response with database error messages.