| CVE-2026-35671 |
high |
8.8 |
8.8 |
|
|
|
6d ago |
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without… |
| CVE-2026-35676 |
high |
8.2 |
8.2 |
|
|
|
6d ago |
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Att… |
| CVE-2026-35675 |
high |
8.2 |
8.2 |
|
|
|
6d ago |
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio… |
| CVE-2026-46367 |
high |
7.6 |
7.6 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf… |
| CVE-2026-35672 |
high |
7.5 |
7.5 |
|
|
|
6d ago |
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers c… |
| CVE-2026-45008 |
medium |
6.5 |
6.5 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit tr… |
| CVE-2026-46360 |
medium |
5.4 |
5.4 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san… |
| CVE-2026-46363 |
medium |
5.4 |
5.4 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent… |
| CVE-2026-46365 |
medium |
5.4 |
5.4 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl… |
| CVE-2026-45009 |
medium |
4.3 |
4.3 |
|
|
|
19d ago |
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login statu… |
| CVE-2026-24421 |
unknown |
— |
1.0 |
|
|
|
4mo ago |
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) |
| CVE-2026-34729 |
unknown |
— |
— |
|
|
|
2mo ago |
phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() |
| CVE-2026-34728 |
unknown |
— |
— |
|
|
|
2mo ago |
phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController |
| CVE-2026-32629 |
unknown |
— |
— |
|
|
|
2mo ago |
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor |
| CVE-2026-24422 |
unknown |
— |
— |
|
|
|
4mo ago |
phpMyFAQ: Public API endpoints expose emails and invisible questions |
| CVE-2026-24420 |
unknown |
— |
— |
|
|
|
4mo ago |
phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) |
| CVE-2023-53929 |
unknown |
— |
— |
|
|
|
6mo ago |
phpMyFAQ contains a CSV injection vulnerability |
| CVE-2025-62519 |
unknown |
— |
— |
|
|
|
7mo ago |
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality |
| CVE-2024-56199 |
unknown |
— |
— |
|
|
|
1y ago |
phpMyFAQ Vulnerable to Stored HTML Injection at FAQ |
| CVE-2024-27300 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ stored Cross-site Scripting at user email |
| CVE-2024-28105 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ's File Upload Bypass at Category Image Leads to RCE |
| CVE-2024-28106 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ Stored Cross-site Scripting at FAQ News Content |
| CVE-2024-28107 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ SQL injections at insertentry & saveentry |
| CVE-2024-28108 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ Stored HTML Injection at contentLink |
| CVE-2024-29179 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ Stored Cross-site Scripting at File Attachments |
| CVE-2024-27299 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ SQL Injection at "Save News" |
| CVE-2024-29196 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ Path Traversal in Attachments |
| CVE-2024-24574 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ vulnerable to stored XSS on attachments filename |
| CVE-2024-22208 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ sharing FAQ functionality can easily be abused for phishing purposes |
| CVE-2024-22202 |
unknown |
— |
— |
|
|
|
2y ago |
phpMyFAQ User Removal Page Allows Spoofing Of User Details |
| CVE-2022-3608 |
unknown |
— |
— |
|
|
|
4y ago |
phpMyFAQ vulnerable to Cross-site Scripting |
