Security Advisories - thorsten/phpmyfaq

thorsten/phpmyfaq Security Advisories for 4.0.0-RC.5 (21)

[CRITICAL] phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

PKSA-trv8-7xnx-t8d9 GHSA-289f-fq7w-6q2w

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

PKSA-djzh-dx9x-j5hd GHSA-gh9p-q46p-57g2

Affected version: <=4.1.1

Reported by:
GitHub
[HIGH] phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

PKSA-k9ft-9rnh-h8dn GHSA-99qv-g4x9-mgc3

Affected version: <=4.1.1

Reported by:
GitHub
[HIGH] phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields

PKSA-n87n-9t5q-zcf5 GHSA-pm8c-3qq3-72w7

Affected version: <=4.1.1

Reported by:
GitHub
[CRITICAL] phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

PKSA-q6mm-vp1w-mgjs GHSA-9pq7-mfwh-xx2j

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

PKSA-198b-7kr6-ksdh GHSA-pqh6-8fxf-jx22

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

PKSA-pmsp-dtdj-k1f9 GHSA-rm98-82fr-mcfx

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

PKSA-sw8q-jkxw-m11r GHSA-whqh-9pq5-c7r3

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

PKSA-jr2y-dd2x-qtks GHSA-f5p7-2c9q-8896

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

PKSA-p58s-jb5m-qycz GHSA-7cx3-2qx2-3g6w

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

PKSA-b77f-s5cd-b1qh GHSA-hpgw-ww76-c68r

Affected version: <=4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

PKSA-yy2b-x6vy-wsx2 CVE-2026-34974 GHSA-5crx-pfhq-4hgg

Affected version: <=4.1.0

Reported by:
GitHub
[MEDIUM] phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure

PKSA-fk9h-qz7y-fk1q CVE-2026-34973 GHSA-gcp9-5jc8-976x

Affected version: <4.1.1

Reported by:
GitHub
[MEDIUM] phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor

PKSA-t2yv-wns1-2p5c CVE-2026-32629 GHSA-98gw-w575-h2ph

Affected version: <=4.1.0

Reported by:
GitHub
[HIGH] phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

PKSA-y9f6-42c9-xggs CVE-2026-27836 GHSA-w22q-m2fm-x9f4

Affected version: <4.0.18

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Public API endpoints expose emails and invisible questions

PKSA-2sk9-r8yw-1gc5 CVE-2026-24422 GHSA-j4rc-96xj-gvqc

Affected version: <=4.0.16

Reported by:
GitHub
[MEDIUM] phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

PKSA-fgvt-rx8y-b52y CVE-2026-24421 GHSA-wm8h-26fv-mg7g

Affected version: <=4.0.16

Reported by:
GitHub
[MEDIUM] phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

PKSA-mvwk-xn5v-s54b CVE-2026-24420 GHSA-7p9h-m7m8-vhhv

Affected version: <=4.0.16

Reported by:
GitHub
[HIGH] phpMyFAQ has unauthenticated config backup download via /api/setup/backup

PKSA-w8m6-73n2-zbk6 CVE-2025-69200 GHSA-9cg9-4h4f-j6fg

Affected version: >=4.1.0-alpha,<=4.1.0-beta.2|<4.0.16

Reported by:
GitHub
[HIGH] phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

PKSA-zh4p-vq78-zndy CVE-2025-62519 GHSA-fxm2-cmwj-qvx4

Affected version: <=4.0.13

Reported by:
GitHub
[MEDIUM] phpMyFAQ Vulnerable to Stored HTML Injection at FAQ

PKSA-m8x7-3hjv-95dd CVE-2024-56199 GHSA-ww33-jppq-qfrp

Affected version: >=3.2.10,<=4.0.1

Reported by:
GitHub

thorsten/phpmyfaq Security Advisories for 4.0.0-RC.5 (21)

[CRITICAL] phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

[MEDIUM] phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins

[HIGH] phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

[HIGH] phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields

[CRITICAL] phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

[MEDIUM] phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

[MEDIUM] phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

[MEDIUM] phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS

[MEDIUM] phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

[MEDIUM] phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

[MEDIUM] phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

[MEDIUM] phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

[MEDIUM] phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure

[MEDIUM] phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor

[HIGH] phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

[MEDIUM] phpMyFAQ: Public API endpoints expose emails and invisible questions

[MEDIUM] phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

[MEDIUM] phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

[HIGH] phpMyFAQ has unauthenticated config backup download via /api/setup/backup

[HIGH] phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

[MEDIUM] phpMyFAQ Vulnerable to Stored HTML Injection at FAQ