Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

phpmyfaq — Vulnerabilities & Security Advisories 41

All 41 CVE vulnerabilities found in phpmyfaq, with AI-generated Chinese analysis, references, and POCs.

This page documents the vulnerability aggregation for the phpMyFAQ software, covering various Common Weakness Enumerations (CWE) and associated tags within the vendor's ecosystem. It collects data on security flaws including cross-site scripting, SQL injection, and authentication bypasses affecting different versions of the application over a broad historical timeline. By navigating this resource, users can track the vendor’s security advisories to understand how issues are disclosed and resolved, gain a deeper comprehension of specific weakness classes relevant to knowledge base systems, and review the complete vulnerability history of phpMyFAQ to assess long-term risk exposure. The information presented is intended for security researchers, system administrators, and developers who need to evaluate the integrity of their deployments. This compilation serves as a centralized reference point for identifying past incidents and understanding the security posture of the software over time. All entries are organized to facilitate efficient searching and analysis without requiring access to external databases or proprietary tools. The goal is to provide transparency regarding known issues while avoiding speculation or unverified claims. Readers are encouraged to cross-reference these details with official release notes and patch documentation for accurate remediation steps. This approach ensures that technical stakeholders have access to reliable, structured data that supports informed decision-making regarding software maintenance and security hardening efforts. The content remains strictly factual, focusing on documented events rather than subjective assessments of the vendor’s overall security practices.

Vendor: thorsten

CVE IDTitleCVSSSeverityPublished
CVE-2026-46367 phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering CWE-79 7.6 High2026-05-15
CVE-2026-46366 phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypass CWE-863 7.5 High2026-05-15
CVE-2026-46365 phpMyFAQ - Missing Authorization in Tag Deletion Endpoint CWE-862 5.4 Medium2026-05-15
CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha CWE-89 9.8 Critical2026-05-15
CVE-2026-46363 phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass CWE-79 5.4 Medium2026-05-15
CVE-2026-46362 phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check CWE-863 6.5 Medium2026-05-15
CVE-2026-46361 phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig CWE-79 6.9 Medium2026-05-15
CVE-2026-46360 phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer CWE-79 5.4 Medium2026-05-15
CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields CWE-89 7.5 High2026-05-15
CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint CWE-307 9.1 Critical2026-05-15
CVE-2026-45009 phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints CWE-863 4.3 Medium2026-05-15
CVE-2026-45008 phpMyFAQ - Path Traversal in Client::deleteClientFolder via URL Parameter CWE-73 6.5 Medium2026-05-15
CVE-2026-45007 phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information Disclosure CWE-862 4.3 Medium2026-05-15
CVE-2026-34974 phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation CWE-79 5.4 Medium2026-04-02
CVE-2026-34973 phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure CWE-943 8.2AIHighAI2026-04-02
CVE-2026-34729 phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() CWE-79 6.1 Medium2026-04-02
CVE-2026-34728 phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController CWE-22 8.7 High2026-04-02
CVE-2026-32629 phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor CWE-20 6.1AIMediumAI2026-04-02
CVE-2026-27836 phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint CWE-862 7.5 High2026-02-27
CVE-2026-24422 phpMyFAQ: Public API endpoints expose emails and invisible questions CWE-200 5.3 Medium2026-01-24
CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) CWE-284 6.5 Medium2026-01-24
CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user CWE-862 6.5 Medium2026-01-24
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup CWE-202 7.5 High2025-12-29
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw CWE-79 5.4 Medium2025-12-29
CVE-2023-53929 phpMyFAQ 3.1.12 CSV Injection via User Profile Export CWE-1236 8.8 High2025-12-17
CVE-2025-62519 phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality CWE-89 7.2 High2025-11-17
CVE-2025-59943 phpMyFAQ duplicate email registration allows multiple accounts with the same email CWE-286 8.1 High2025-10-03
CVE-2024-56199 phpMyFAQ Vulnerable to Stored HTML Injection at FAQ CWE-79 5.2 Medium2025-01-02
CVE-2024-55889 phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames CWE-451 4.9 Medium2024-12-13
CVE-2024-54141 phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available CWE-209 8.6 High2024-12-06

All 41 known CVE vulnerabilities affecting phpmyfaq with full Chinese analysis, references, and POCs where available.