PT-2026-41368 · Phpmyfaq · Phpmyfaq

Adrgs

·

Published

2026-05-06

·

Updated

2026-05-15

·

CVE-2026-46366

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2
Description An information disclosure issue exists in the getIdFromSolutionId() and getFaqBySolutionId() methods, which lack proper permission filtering. This allows unauthenticated attackers to enumerate restricted FAQ entries by sequentially iterating solution IDs via the '/solution id {id}.html' endpoint. When a valid ID is requested, the server performs a 301 redirect to a URL containing the FAQ's category, internal ID, language, and a slugified version of the title. This sensitive metadata is leaked through the redirect's Location header, page canonical links, social sharing URLs, and hidden form fields, even if the main content body is restricted. The getFaqBySolutionId() method further exacerbates this by using a fallback query that explicitly bypasses permission filters.
Recommendations Update to version 4.1.2 or later. As a temporary workaround, restrict access to the '/solution id {id}.html' endpoint to authenticated users with appropriate permissions.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46366
GHSA-99QV-G4X9-MGC3
GHSA-CQRW-J4QC-7F9W

Affected Products

Phpmyfaq