CVE-2026-46365 thorsten CVE debrief

Who should care

Administrators and operators of phpMyFAQ installations, especially environments that allow broad user authentication or mixed frontend/admin access. Security and application owners should treat tag integrity as user-impacting content control, not a low-risk cosmetic feature.

Technical summary

The vulnerability is an authorization bypass on a tag-deletion API route: the endpoint accepts authenticated requests but does not properly restrict deletion to authorized roles. The reported impact is integrity loss only, with no direct confidentiality impact, and the published CVSS vector reflects network access, low attack complexity, low privileges, no user interaction, and low integrity/availability impact.

Defensive priority

Medium. The flaw requires authentication, but it can still cause permanent content disruption in exposed phpMyFAQ deployments.

Recommended defensive actions

• Upgrade phpMyFAQ to 4.1.2 or later.
• Verify that DELETE /admin/api/content/tags/{tagId} is restricted to authorized administrative roles only.
• Review related API authorization checks for other admin endpoints to ensure consistent role enforcement.
• Audit recent tag deletions and other content changes for unauthorized activity.
• Monitor application and access logs for unusual authenticated DELETE requests to tag-management routes.

Evidence notes

The issue description and vendor advisory references identify a missing authorization vulnerability in phpMyFAQ before 4.1.2 affecting DELETE /admin/api/content/tags/{tagId}. NVD lists the CVE as Deferred and records the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L with CWE-862 as the associated weakness.

Official resources