Security: thorsten/phpMyFAQ
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
phpMyFAQ: Public API endpoints expose emails and invisible questionsGHSA-j4rc-96xj-gvqc published
Jan 23, 2026 by thorstenModerate -
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)GHSA-wm8h-26fv-mg7g published
Jan 23, 2026 by thorstenModerate -
phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)GHSA-7p9h-m7m8-vhhv published
Jan 23, 2026 by thorstenModerate -
Unauthenticated config backup download via /api/setup/backupGHSA-9cg9-4h4f-j6fg published
Dec 29, 2025 by thorstenHigh -
Stored XSS in admin “List of users” via display_name HTML entity decoding (html_entity_decode) + Twig |rawGHSA-jv8r-hv7q-p6vc published
Dec 29, 2025 by thorstenModerate -
Authenticated SQL Injection in Configuration Update FunctionalityGHSA-fxm2-cmwj-qvx4 published
Nov 15, 2025 by thorstenHigh -
Duplicate email registration allows multiple accounts with the same email in phpMyFAQGHSA-9wj2-4hcm-r74j published
Oct 3, 2025 by thorstenHigh -
Stored HTML Injection at FAQGHSA-ww33-jppq-qfrp published
Jan 2, 2025 by thorstenModerate -
Unintended File Download Triggered by Embedded FramesGHSA-m3r7-8gw7-qwvc published
Dec 13, 2024 by thorstenModerate -
Generation of Error Message Containing Sensitive Information if database server is not availableGHSA-vrjr-p3xp-xx2x published
Dec 6, 2024 by thorstenHigh