Security: thorsten/phpMyFAQ
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Potential Authenticated Path Traversal in PDF Export (phpMyFAQ 4.x)GHSA-88g4-74f3-63x9 published
Jun 14, 2026 by thorstenModerate -
phpMyFAQ public FAQ APIs expose inactive FAQ contentGHSA-mf8r-wm2w-f8c5 published
Jun 14, 2026 by thorstenModerate -
Privilege escalation: GroupController::updatePermissions lets a GROUP_EDIT admin grant rights they do not hold (missing self-rights constraint, sibling of the updateUserRights fix)GHSA-pg62-f8g4-4wqh published
Jun 14, 2026 by thorstenHigh -
Privilege escalation in admin API: user/add lets a non-SuperAdmin admin create a SuperAdmin (incomplete fix of the GHSA-xvp4 / GHSA-985r authorization-hardening series)GHSA-r2f4-v277-hvw9 published
Jun 14, 2026 by thorstenHigh -
Incomplete fix for CVE-2026-24421: Missing userHasPermission() in 4 API write endpointsGHSA-8c6h-7g6x-m5x4 published
May 25, 2026 by thorstenHigh -
phpMyFAQ 4.1.3: incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guardsGHSA-985r-q3qp-299h published
May 25, 2026 by thorstenHigh -
Weak Cryptography - SHA1 for Password HashingGHSA-58fg-62fg-3fcj published
May 25, 2026 by thorstenLow -
Security Advisory Submission: Default Empty API Token Authentication BypassGHSA-gp95-j463-vv28 published
May 14, 2026 by thorstenHigh -
phpMyFAQ IDOR Account TakeoverGHSA-xvp4-phqj-cjr3 published
May 14, 2026 by thorstenHigh -
Missing Password Reset Token Allows Account Takeover via Username/Email EnumerationGHSA-w9xh-5f39-vq89 published
May 14, 2026 by thorstenHigh