CVE-2026-24420

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 4.0.16 and below

Description A logged-in user without the necessary permission can download FAQ attachments. This is due to an incorrect permission check in the attachment.php file, where the presence of a permission key is incorrectly treated as authorization. The group and user permission logic also contains a flawed conditional expression that can allow unauthorized access. The API endpoint used for attachment download is /index.php?action=attachment&id=1. The vulnerable parameter is id. The flawed logic involves the expression ($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment']), where isset() incorrectly validates the permission.

Recommendations Versions prior to 4.0.17 should be updated.