PT-2026-41368 · Phpmyfaq · Phpmyfaq
Adrgs
·
Published
2026-05-06
·
Updated
2026-05-15
·
CVE-2026-46366
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
phpMyFAQ versions prior to 4.1.2
Description
An information disclosure issue exists in the
getIdFromSolutionId() and getFaqBySolutionId() methods, which lack proper permission filtering. This allows unauthenticated attackers to enumerate restricted FAQ entries by sequentially iterating solution IDs via the '/solution id {id}.html' endpoint. When a valid ID is requested, the server performs a 301 redirect to a URL containing the FAQ's category, internal ID, language, and a slugified version of the title. This sensitive metadata is leaked through the redirect's Location header, page canonical links, social sharing URLs, and hidden form fields, even if the main content body is restricted. The getFaqBySolutionId() method further exacerbates this by using a fallback query that explicitly bypasses permission filters.Recommendations
Update to version 4.1.2 or later.
As a temporary workaround, restrict access to the '/solution id {id}.html' endpoint to authenticated users with appropriate permissions.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq