PT-2026-41364 · Phpmyfaq · Phpmyfaq

Offset

·

Published

2026-05-06

·

Updated

2026-05-15

·

CVE-2026-46362

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2
Description An authorization bypass exists in the userHasPermission() function of the AbstractAdministrationController class. The function catches a ForbiddenException when a user lacks required permissions and sends a forbidden HTML response via $response->send(), but it fails to terminate the script execution. Consequently, the calling controller method continues to run, fetching protected data and rendering the full template. The final response appends the protected content to the forbidden page, allowing any authenticated admin user to access restricted pages regardless of their actual permissions.
This issue affects 58 admin controllers, potentially exposing sensitive information such as admin logs (including IP addresses and usernames), user management data, system information (PHP and server configurations), application settings, and backup functionality.
Recommendations Update to version 4.1.2 or later. As a temporary workaround, restrict access to the AbstractAdministrationController and its extending controllers to only highly trusted administrators until the update is applied.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46362
GHSA-HPGW-WW76-C68R
GHSA-W9MJ-GFRM-HJ5X

Affected Products

Phpmyfaq