PatchSiren cyber security CVE debrief
CVE-2026-57996 phpMyFAQ CVE debrief
CVE-2026-57996 is a high-severity privilege escalation vulnerability in phpMyFAQ before version 4.1.5. A delegated administrator with USER_ADD/EDIT/DELETE permissions can create a SuperAdmin account via the user/add API endpoint, potentially leading to full instance takeover. The vulnerability exists due to inadequate validation of user input, allowing an attacker to bypass normal access controls. This issue affects phpMyFAQ deployments where administrators have delegated permissions, and attackers may exploit this vulnerability to gain elevated privileges.
- Vendor
- phpMyFAQ
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of phpMyFAQ versions prior to 4.1.5 should be aware of this vulnerability and take immediate action to mitigate the risk. This includes updating to the latest version, restricting USER_ADD/EDIT/DELETE permissions, and monitoring user account creation and modifications. Security teams and vulnerability management teams should prioritize this vulnerability due to its high severity and potential impact on phpMyFAQ deployments.
Technical summary
The vulnerability exists in the user/add API endpoint of phpMyFAQ, allowing a delegated administrator with USER_ADD/EDIT/DELETE permissions to create a SuperAdmin account by setting 'isSuperAdmin' to true and providing attacker-chosen credentials. This could lead to full instance takeover. The issue arises from insufficient validation of user input, enabling an attacker to create a new SuperAdmin account with arbitrary credentials.
Defensive priority
High
Recommended defensive actions
- Update phpMyFAQ to version 4.1.5 or later
- Restrict USER_ADD/EDIT/DELETE permissions to SuperAdmin accounts
- Monitor user account creation and modifications
- Implement additional security measures to detect and prevent exploitation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T12:18:16.143Z and last modified on 2026-07-16T16:19:14.350Z. The NVD entry is currently Deferred. The vulnerability was reported by a security researcher and is related to a privilege escalation issue in phpMyFAQ before version 4.1.5. The researcher verified the vulnerability and provided detailed information about the affected endpoint and potential impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T12:18:16.143Z and has not been modified since then. The NVD entry is currently Deferred.