Security Advisory 2026-04-28
Multiple vulnerabilities in phpMyFAQ
- Issued on:
- 2026-04-28
- Software:
- phpMyFAQ <= 4.1.1
- Risk:
- Critical
- Platforms:
- all
The phpMyFAQ Team has learned of critical security issues that'd been discovered in phpMyFAQ 4.1.1 and earlier.
Description
The User-Agent header in BuiltinCaptcha is vulnerable to unauthenticated SQL injection, rated critical.
In Client::deleteClientFolder, a moderate path traversal flaw lets non-super-admin admins delete arbitrary directories.
Through the getFaqBySolutionId fallback query, attackers can bypass FAQ permissions without authentication — severity high.
Unescaped OAuth token fields introduce a high severity SQL injection in CurrentUser::setTokenData.
Because /admin/check accepts an arbitrary user-id, an unauthenticated 2FA brute-force attack is possible (critical).
Due to an insufficient authorization check, ordinary authenticated users can reach admin-only API endpoints — a moderate issue.
Search result rendering in search.twig suffers from a moderate stored XSS, where the | raw filter bypasses html_entity_decode(strip_tags()).
Twelve admin API configuration tab endpoints lack the CONFIGURATION_EDIT permission check, leaking configuration data to any authenticated user (moderate).
The SVG sanitizer's entity decoding depth limit can be bypassed, resulting in stored XSS at moderate severity.
An encode-decode bypass of removeAttributes() sanitization enables moderate stored XSS in FAQ question and answer content.
Tag deletion lacks an authorization check, so any authenticated user can delete tags — rated moderate.
A non-terminating permission check causes a moderate authorization bypass across all admin pages.
Comment rendering is affected by a high severity stored XSS through Utils::parseUrl().
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 4.1.2, which fixes the vulnerabilities. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.1.2.
Thanks
The phpMyFAQ team would like to thank ericliu-12, offset, Doodi101, kitu232, and adragos for the responsible disclosures of these vulnerabilities.