CVE-2026-56396
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
Risk Assessment
Privilege escalation by unauthorized users can lead to serious security breaches, including unauthorized access to sensitive data and administrative functions. Organizations should be aware of the risks associated with improper permission management.
Recommendation
It is recommended to update phpMyFAQ to version 4.1.4 or later to mitigate these authorization vulnerabilities. Additionally, a user permission audit should be conducted to ensure that only authorized administrators have access to critical functions.
Original NVD description (English source)
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.

