Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

phpMyFAQ — Vulnerabilities & Security Advisories 47

All 47 CVE vulnerabilities found in phpMyFAQ, with AI-generated Chinese analysis, references, and POCs.

This page documents known software vulnerabilities for phpMyFAQ, an open-source Frequently Asked Questions system, categorized by common weakness types. It aggregates data regarding cross-site scripting, SQL injection, and other security flaws affecting this specific application platform. The collection spans records from the initial public disclosure of vulnerabilities through to recently patched issues, ensuring a comprehensive historical view of the product's security posture over time. Here, users can track vendor advisories and official patches issued for phpMyFAQ to stay informed about active threats. You can also understand the technical details and impact of specific weakness classes that commonly affect content management systems like this one. Additionally, the page allows you to look up the product's vulnerability history to assess its risk profile and compliance status for internal audits. By centralizing these disparate security reports, the resource helps administrators, developers, and security analysts quickly identify whether their installations are exposed to known exploits. It serves as a reference point for understanding how long vulnerabilities have persisted and what mitigation strategies have been applied. This structured approach simplifies the process of managing software risk by providing clear, organized access to critical security information without the need to search multiple disparate sources.

Vendor: thorsten

CVE IDTitleCVSSSeverityPublished
CVE-2026-49205 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix) CWE-862 6.5 Medium2026-06-18
CVE-2026-48488 phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing CWE-328--2026-06-08
CVE-2026-35676 phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint CWE-640 8.2 High2026-05-28
CVE-2026-35675 phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update CWE-307 8.2 High2026-05-28
CVE-2026-35672 phpMyFAQ - Authentication Bypass via Empty API Token CWE-1188 7.5 High2026-05-28
CVE-2026-35671 phpMyFAQ - Insecure Direct Object Reference in User Password API CWE-266 8.8 High2026-05-28
CVE-2026-46367 phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering CWE-79 7.6 High2026-05-15
CVE-2026-46366 phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypass CWE-863 7.5 High2026-05-15
CVE-2026-46365 phpMyFAQ - Missing Authorization in Tag Deletion Endpoint CWE-862 5.4 Medium2026-05-15
CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha CWE-89 9.8 Critical2026-05-15
CVE-2026-46363 phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass CWE-79 5.4 Medium2026-05-15
CVE-2026-46362 phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check CWE-863 6.5 Medium2026-05-15
CVE-2026-46361 phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig CWE-79 6.9 Medium2026-05-15
CVE-2026-46360 phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer CWE-79 5.4 Medium2026-05-15
CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields CWE-89 7.5 High2026-05-15
CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint CWE-307 9.1 Critical2026-05-15
CVE-2026-45009 phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints CWE-863 4.3 Medium2026-05-15
CVE-2026-45008 phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter CWE-73 6.5 Medium2026-05-15
CVE-2026-45007 phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information Disclosure CWE-862 4.3 Medium2026-05-15
CVE-2026-34974 phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation CWE-79 5.4 Medium2026-04-02
CVE-2026-34973 phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure CWE-943 8.2AIHighAI2026-04-02
CVE-2026-34729 phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() CWE-79 6.1 Medium2026-04-02
CVE-2026-34728 phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController CWE-22 8.7 High2026-04-02
CVE-2026-32629 phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor CWE-20 6.1AIMediumAI2026-04-02
CVE-2026-27836 phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint CWE-862 7.5 High2026-02-27
CVE-2026-24422 phpMyFAQ: Public API endpoints expose emails and invisible questions CWE-200 5.3 Medium2026-01-24
CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) CWE-284 6.5 Medium2026-01-24
CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user CWE-862 6.5 Medium2026-01-24
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup CWE-202 7.5 High2025-12-29
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw CWE-79 5.4 Medium2025-12-29

All 47 known CVE vulnerabilities affecting phpMyFAQ with full Chinese analysis, references, and POCs where available.