CVE-2026-24422

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 3.0 (affected versions not specified)

Description Several public API endpoints disclose email addresses and non-public records, such as questions marked as invisible. The OpenQuestionController::list() function calls Question::getAll() with the default showAll=true setting, resulting in the exposure of invisible questions and associated email addresses. Similar issues exist in the comment, news, and FAQ APIs. An attacker can use a simple curl command to retrieve this information from the API endpoint. This can lead to privacy exposure, increasing the risk of phishing and data scraping.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.