CVE Catalog

CVE-2026-49205

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController, allowing unauthorized operations on four API endpoints.

Risk Assessment

The lack of proper authorization may lead to unauthorized access to data and operations, posing a serious security risk to the application and user data.

Recommendation

It is recommended to upgrade phpMyFAQ to version 4.1.4 or later to mitigate this vulnerability and ensure proper authorization in the API.

Original NVD description (English source)

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS