CVE-2026-24421

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 4.0.14 through 4.0.16

Description phpMyFAQ is a web-based FAQ application. A flaw in authorization logic exists in versions 4.0.14 and below, exposing the /api/setup/backup API endpoint to any authenticated user, regardless of their permissions. The SetupController.php file uses userIsAuthenticated() but does not verify if the user has the necessary configuration or administrative permissions. This allows non-admin users to initiate a configuration backup and obtain its file path. The endpoint only validates authentication, not authorization, and provides a link to the created ZIP archive. Exploitation involves logging in as a non-admin user and calling the backup endpoint. This can lead to the generation of sensitive backups, potentially exposing secrets if the ZIP file is accessible via the web server.

Recommendations Versions 4.0.14 through 4.0.16 should be updated to version 4.0.17 or later.