CVE-2026-46362— phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46362
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
Source: NVD (National Vulnerability Database)
Vulnerability Description
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46362
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46362
请登录查看更多情报信息。
Same Patch Batch · thorsten · 2026-05-15 · 13 CVEs total
| CVE-2026-46364 | 9.8 CRITICAL | phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha |
| CVE-2026-45010 | 9.1 CRITICAL | phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint |
| CVE-2026-46367 | 7.6 HIGH | phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering |
| CVE-2026-46359 | 7.5 HIGH | phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields |
| CVE-2026-46366 | 7.5 HIGH | phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypas |
| CVE-2026-46361 | 6.9 MEDIUM | phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig |
| CVE-2026-45008 | 6.5 MEDIUM | phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter |
| CVE-2026-46360 | 5.4 MEDIUM | phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer |
| CVE-2026-46363 | 5.4 MEDIUM | phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass |
| CVE-2026-46365 | 5.4 MEDIUM | phpMyFAQ - Missing Authorization in Tag Deletion Endpoint |
| CVE-2026-45007 | 4.3 MEDIUM | phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information D |
| CVE-2026-45009 | 4.3 MEDIUM | phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints |
IV. Related Vulnerabilities
Same product: phpmyfaq
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same vendor: thorsten
- CVE-2026-46367
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rende - CVE-2026-46366
phpMyFAQ - Unauthenticated Information Disclosure via getIdF - CVE-2026-46365
phpMyFAQ - Missing Authorization in Tag Deletion Endpoint - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46363
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Deco
Same weakness: CWE-863
- CVE-2026-45316
Open WebUI: Read-Only Users Can Toggle Note Pin Status via I - CVE-2026-44567
Open WebUI: Open WebUI Improper Authorization Control - CVE-2026-45672
Open WebUI: Jupyter code execution works despite `ENABLE_COD - CVE-2026-44557
Open WebUI: Global Knowledge Base Enumeration via knowledge- - CVE-2026-44561
Open WebUI: Deactivated Channel Members Retain Full Access t
V. Comments for CVE-2026-46362
No comments yet