PT-2026-51237 · Phpmyfaq · Phpmyfaq

0Xshemesh

Published

2026-06-21

Updated

2026-06-21

CVE-2026-56396

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit user permission can set is superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-56396

Affected Products

Phpmyfaq

PT-2026-51237 · Phpmyfaq · Phpmyfaq

CVE-2026-56396

Weakness Enumeration

Related Identifiers

Affected Products

References · 3