CVE-2026-49205
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController, allowing unauthorized operations on four API endpoints.
Risk Assessment
The lack of proper authorization may lead to unauthorized access to data and operations, posing a serious security risk to the application and user data.
Recommendation
It is recommended to upgrade phpMyFAQ to version 4.1.4 or later to mitigate this vulnerability and ensure proper authorization in the API.
Original NVD description (English source)
phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.

