| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-34974 | phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation | thorsten | phpMyFAQ | Medium | 5.4 | 2026-04-02 14:48:23 | Deep Dive |
| CVE-2026-34973 | phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure | thorsten | phpMyFAQ | - | - | 2026-04-02 14:47:23 | Deep Dive |
| CVE-2026-34729 | phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() | thorsten | phpMyFAQ | Medium | 6.1 | 2026-04-02 14:46:22 | Deep Dive |
| CVE-2026-34728 | phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController | thorsten | phpMyFAQ | High | 8.7 | 2026-04-02 14:44:19 | Deep Dive |
| CVE-2026-32629 | phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor | thorsten | phpMyFAQ | - | - | 2026-04-02 14:43:15 | Deep Dive |
| CVE-2026-27836 | phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint | thorsten | phpMyFAQ | High | 7.5 | 2026-02-27 19:54:52 | Deep Dive |
| CVE-2026-24422 | phpMyFAQ: Public API endpoints expose emails and invisible questions | thorsten | phpMyFAQ | Medium | 5.3 | 2026-01-24 02:02:31 | Deep Dive |
| CVE-2026-24420 | phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) | thorsten | phpMyFAQ | Medium | 6.5 | 2026-01-24 01:57:28 | Deep Dive |
| CVE-2026-24421 | phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user | thorsten | phpMyFAQ | Medium | 6.5 | 2026-01-24 01:43:10 | Deep Dive |
| CVE-2025-69200 | phpMyFAQ has unauthenticated config backup download via /api/setup/backup | thorsten | phpMyFAQ | High | 7.5 | 2025-12-29 15:24:52 | Deep Dive |
| CVE-2025-68951 | phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw | thorsten | phpMyFAQ | Medium | 5.4 | 2025-12-29 15:18:58 | Deep Dive |
| CVE-2025-62519 | phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality | thorsten | phpMyFAQ | High | 7.2 | 2025-11-17 16:48:50 | Deep Dive |
| CVE-2025-59943 | phpMyFAQ duplicate email registration allows multiple accounts with the same email | thorsten | phpMyFAQ | High | 8.1 | 2025-10-03 20:06:09 | Deep Dive |
| CVE-2024-56199 | phpMyFAQ Vulnerable to Stored HTML Injection at FAQ | thorsten | phpMyFAQ | Medium | 5.2 | 2025-01-02 17:27:09 | Deep Dive |
| CVE-2024-55889 | phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames | thorsten | phpMyFAQ | Medium | 4.9 | 2024-12-13 13:44:58 | Deep Dive |
| CVE-2024-54141 | phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available | thorsten | phpMyFAQ | High | 8.6 | 2024-12-06 15:00:16 | Deep Dive |
| CVE-2024-29196 | phpMyFAQ Path Traversal in Attachments | thorsten | phpMyFAQ | Low | 3.8 | 2024-03-26 03:01:37 | Deep Dive |
| CVE-2024-29179 | phpMyFAQ Stored Cross-site Scripting at File Attachments | thorsten | phpMyFAQ | - | - | 2024-03-25 20:27:55 | Deep Dive |
| CVE-2024-28108 | phpMyFAQ Stored HTML Injection at contentLink | thorsten | phpMyFAQ | Medium | 4.7 | 2024-03-25 18:52:19 | Deep Dive |
| CVE-2024-28107 | phpMyFAQ SQL injections at insertentry & saveentry | thorsten | phpMyFAQ | High | 8.8 | 2024-03-25 18:47:12 | Deep Dive |