Phpmyfaq
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Phpmyfaq.
By the Year
In 2026 there have been 18 vulnerabilities in Phpmyfaq with an average score of 7.1 out of ten. Last year, in 2025 Phpmyfaq had 4 security vulnerabilities published. That is, 14 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.83
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 18 | 7.09 |
| 2025 | 4 | 7.93 |
| 2024 | 13 | 6.38 |
| 2023 | 62 | 6.27 |
| 2022 | 7 | 7.30 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 8.00 |
It may take a day or so for new Phpmyfaq vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Phpmyfaq Security Vulnerabilities
phpMyFAQ <4.1.4 auth escalation via editUser/updateUserRights
CVE-2026-56396
8.8 - High
- June 21, 2026
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
AuthZ
Unauthenticated Password Reset in phpMyFAQ <4.1.3 (API)
CVE-2026-35676
8.2 - High
- May 28, 2026
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.
Weak Password Recovery Mechanism for Forgotten Password
phpMyFAQ <4.1.3 Auth Bypass in Password Reset Enables Unauth Account Takeover
CVE-2026-35675
8.2 - High
- May 28, 2026
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.
Improper Restriction of Excessive Authentication Attempts
phpMyFAQ <4.1.3 Auth Bypass via Empty apiClientToken, allows create/modify
CVE-2026-35672
7.5 - High
- May 28, 2026
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
Insecure Default Initialization of Resource
phpMyFAQ 4.1.3 Insecure DOR in Admin Password API
CVE-2026-35671
8.8 - High
- May 28, 2026
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
Incorrect Privilege Assignment
phpMyFAQ <4.1.2: Stored XSS via Utils::parseUrl()
CVE-2026-46367
7.6 - High
- May 15, 2026
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving full application takeover when visitors view affected FAQ pages.
XSS
phpMyFAQ<4.1.2: Blind Info Disclosure via getIdFromSolutionId()
CVE-2026-46366
7.5 - High
- May 15, 2026
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.
AuthZ
phpMyFAQ 4.1.1: Missing Auth Deleting Tags via /admin/api/content/tags/{tagId}
CVE-2026-46365
5.4 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid session cookie, resulting in permanent data loss and disruption of FAQ organization.
AuthZ
phpMyFAQ <4.1.2 Unauth SQLi in BuiltinCaptcha via User-Agent
CVE-2026-46364
9.8 - Critical
- May 15, 2026
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database.
SQL Injection
phpMyFAQ <4.1.2 XSS via FAQ Create/Update (Twig raw)
CVE-2026-46363
5.4 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter.
XSS
phpMyFAQ <4.1.2 auth bypass in AbstractAdministrationController::userHasPermission
CVE-2026-46362
6.5 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
AuthZ
phpMyFAQ <4.1.2 XSS via raw filter in search.twig
CVE-2026-46361
6.9 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators.
XSS
phpMyFAQ <4.1.2 Stored XSS in SvgSanitizer::decodeAllEntities()
CVE-2026-46360
5.4 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.
XSS
phpMyFAQ <4.1.2 SQLi via CurrentUser::setTokenData
CVE-2026-46359
7.5 - High
- May 15, 2026
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries.
SQL Injection
phpMyFAQ <4.1.2 /admin/check brute-force TOTP 2FA bypass
CVE-2026-45010
9.1 - Critical
- May 15, 2026
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
Improper Restriction of Excessive Authentication Attempts
Insufficient Auth in phpMyFAQ v<4.1.2 Admin-API Exposes Admin Data
CVE-2026-45009
4.3 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.
AuthZ
phpMyFAQ 4.1.2 Path Traversal Deletion in Client::deleteClientFolder
CVE-2026-45008
6.5 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
External Control of File Name or Path
phpMyFAQ <=4.1.1: Authenticated Config Enumeration via /admin/api/configuration
CVE-2026-45007
4.3 - Medium
- May 15, 2026
phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /admin/api/configuration endpoints, violating least privilege access control.
AuthZ
phpMyFAQ 3.1.12 CSV Inject in Auth'd User Names
CVE-2023-53929
8.8 - High
- December 17, 2025
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.
CSV Injection
phpMyFAQ 4.0.13 or earlier: Authenticated SQLi in config update (full DB compromise)
CVE-2025-62519
7.2 - High
- November 17, 2025
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.
SQL Injection
Email Uniqueness Bypass in phpMyFAQ <=4.0.12 (Patch 4.0.13)
CVE-2025-59943
8.1 - High
- October 03, 2025
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13.
Incorrect User Management
phpMyFAQ 3.2.104.0.1: Admin Editor HTML Injection Enables UI DoS
CVE-2024-56199
7.6 - High
- January 02, 2025
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability.
XSS
phpMyFAQ: Privileged File Download Vulnerability in FAQ Record Component
CVE-2024-55889
7.2 - High
- December 13, 2024
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.
User Interface (UI) Misrepresentation of Critical Information
Credential Disclosure via DB Connection Error in phpMyFAQ <4.0.0
CVE-2024-54141
7.5 - High
- December 06, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
Generation of Error Message Containing Sensitive Information
phpMyFAQ Path Traversal in Attachments before 3.2.6, admin file upload
CVE-2024-29196
2.7 - Low
- March 26, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in 3.2.6.
Directory traversal
phpMyFAQ XSS via JS upload (admin privileges)
CVE-2024-29179
4.8 - Medium
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.
XSS
phpMyFAQ 3.2.6 RCE via image upload: Content-Type & lang abuse
CVE-2024-28105
7.2 - High
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The category image upload function in phpmyfaq is vulnerable to manipulation of the `Content-type` and `lang` parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system. This vulnerability is fixed in 3.2.6.
Unrestricted File Upload
phpMyFAQ XSS via contentLink before v3.2.6
CVE-2024-28108
6.1 - Medium
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.
XSS
phpMyFAQ XSS via news POST param (fixed @ 3.2.6)
CVE-2024-28106
5.4 - Medium
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.
XSS
phpMyFAQ <=3.2.5 Stored XSS via email field in user control panel
CVE-2024-27300
5.4 - Medium
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's `FILTER_VALIDATE_EMAIL` function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. This vulnerability is fixed in 3.2.6.
XSS
SQLi in phpMyFAQ 3.2.5 authorEmail field Add News, fixed in 3.2.6
CVE-2024-27299
8.8 - High
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. However, in this version of phpMyFAQ (3.2.5), this field is not escaped properly can be used together with other fields to fully exploit the SQL injection vulnerability. This vulnerability is fixed in 3.2.6.
SQL Injection
phpMyFAQ 3.1.x SQLi in insertentry/saveentry Enables RCE
CVE-2024-28107
8.8 - High
- March 25, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. This vulnerability is fixed in 3.2.6.
SQL Injection
phpMyFAQ 3.2.5 - Unauth Remote Email Spraying via FAQ Share
CVE-2024-22208
6.5 - Medium
- February 05, 2024
phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. An attacker can utilize the target application's email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputation damages. This issue has been patched in version 3.2.5.
AuthZ
phpMyFAQ XSS via unsafe echo of filename in attachments.php before 3.2.5
CVE-2024-24574
6.1 - Medium
- February 05, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.
XSS
phpMyFAQ <3.2.5: User Removal Spoofing Allows Phishing (CVE-2024-22202)
CVE-2024-22202
6.5 - Medium
- February 05, 2024
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account. The front-end of this page doesn't allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.
Authorization
Stored XSS Vulnerability in phpMyFAQ <3.1.17
CVE-2023-6889
5.4 - Medium
- December 16, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
XSS
Stored XSS in phpmyfaq before 3.1.17
CVE-2023-6890
5.4 - Medium
- December 16, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
XSS
phpmyfaq <=3.2.1 Insecure Session Expiration
CVE-2023-5865
9.8 - Critical
- October 31, 2023
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
Insufficient Session Expiration
phpMyFAQ < 3.2.2 Stored XSS in Feedback Component
CVE-2023-5867
5.4 - Medium
- October 31, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
XSS
phpMyFAQ <=3.2.1: HTTPS Cookie Without Secure Flag
CVE-2023-5866
5.7 - Medium
- October 31, 2023
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
phpMyFAQ <3.2.2 Reflected XSS in GitHub Repository
CVE-2023-5863
6.1 - Medium
- October 31, 2023
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
XSS
XSS in phpmyfaq v<3.2.1 (GitHub thorsten/phpmyfaq)
CVE-2023-5864
4.8 - Medium
- October 31, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
XSS
Unrestricted File Upload in phpmyfaq <3.1.8
CVE-2023-5227
9.8 - Critical
- September 30, 2023
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
Unrestricted File Upload
DOM XSS in phpMyFAQ prior to v3.1.18
CVE-2023-5316
6.1 - Medium
- September 30, 2023
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
XSS
DOM XSS in phpmyfaq <3.1.18
CVE-2023-5320
6.1 - Medium
- September 30, 2023
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
XSS
Stored XSS in PHPMyFAQ before 3.1.18
CVE-2023-5317
5.4 - Medium
- September 30, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
XSS
phpmyfaq XSS Stored <3.1.18 (Vulnerable)
CVE-2023-5319
5.4 - Medium
- September 30, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
XSS
CVE-2023-4006: Formula Element XSS in phpmyfaq <3.1.16
CVE-2023-4006
9.8 - Critical
- July 31, 2023
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.
CSV Injection
phpMyFAQ XSS: Stored #CVE-2023-4007 before v3.1.16
CVE-2023-4007
5.4 - Medium
- July 31, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16.
XSS
phpmyfaq Reflected XSS (Before 3.2.0-beta.2)
CVE-2023-3469
4.8 - Medium
- June 30, 2023
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2.
XSS
