PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49205 thorsten CVE debrief

CVE-2026-49205 is a medium-severity vulnerability in phpMyFAQ's API CategoryController. Versions prior to 4.1.4 have missing authorization in the API, specifically in the CategoryController and other write endpoints. This allows unauthorized users to create, update, and delete FAQs and categories. The issue was addressed in version 4.1.4. Users should update to the latest version to prevent exploitation. This vulnerability has a CVSS score of 6.5 and is considered medium-severity. Administrators of phpMyFAQ installations should take immediate action to protect their systems.

Vendor
thorsten
Product
phpMyFAQ
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

Administrators of phpMyFAQ installations, security teams, and developers using phpMyFAQ in their applications should be aware of this vulnerability and take necessary actions to update to version 4.1.4 or later.

Technical summary

The vulnerability exists in the phpMyFAQ API, specifically in the CategoryController and other write endpoints (POST /api/v4.0/category, POST /api/v4.0/faq, PUT /api/v4.0/faq, and POST /api/v4.0/question). These endpoints only check for a shared API key header, rather than individual user role permissions. This allows unauthorized users to perform actions they should not have access to. The issue was fixed in version 4.1.4 by adding proper authorization checks.

Defensive priority

High

Recommended defensive actions

  • Update phpMyFAQ to version 4.1.4 or later
  • Review and restrict API access to sensitive endpoints
  • Implement proper authorization and authentication mechanisms
  • Monitor API usage and logs for suspicious activity
  • Consider implementing additional security measures such as IP whitelisting or rate limiting

Evidence notes

The vulnerability was reported and addressed by the phpMyFAQ developers. The CVE record and NVD details provide additional information about the vulnerability. References to the GitHub commit and security advisory provide further context.

Official resources

CVE-2026-49205 was published on 2026-06-18T22:16:31.937Z and has not been modified since then.