Security Advisory 2026-05-25

Multiple vulnerabilities in phpMyFAQ

Issued on:

2026-05-25

Software:

phpMyFAQ <= 4.1.3

Risk:

High

Platforms:

all

The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.1.3 and earlier.

Description

A high-risk issue existed where a previous fix for the admin API Insecure Direct Object Reference (IDOR) and privilege-escalation class of vulnerabilities was incomplete, leaving paths through which an attacker could still access or modify resources belonging to other users. The affected endpoints now enforce ownership and permission checks consistently.

A high-risk issue existed where the fix for CVE-2026-24421 was incomplete: four API write endpoints still lacked a userHasPermission() check, allowing authenticated users to perform privileged write operations they were not authorized for. The missing permission checks have been added to all affected endpoints.

A low-risk issue existed where phpMyFAQ hashed attachment passwords with SHA-1, a cryptographically broken algorithm that has been susceptible to practical collision attacks since the 2017 SHAttered disclosure. The affected code was unused and has been removed.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 4.1.4, which fixes the vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 4.1.4.

Thanks

The phpMyFAQ team would like to thank N0tFix3d, SnailSploit, and santhoshinipayload for the responsible disclosures of these vulnerabilities.