PatchSiren

thorsten CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM thorsten CVE published 2026-06-18

CVE-2026-49205

CVE-2026-49205 is a medium-severity vulnerability in phpMyFAQ's API CategoryController. Versions prior to 4.1.4 have missing authorization in the API, specifically in the CategoryController and other write endpoints. This allows unauthorized users to create, update, and delete FAQs and categories. The issue was addressed in version 4.1.4. Users should update to the latest version to prevent exploitation. [truncated]

LOW thorsten CVE published 2026-06-08

CVE-2026-48488

CVE-2026-48488 is a low-severity vulnerability in phpMyFAQ, a popular open-source FAQ web application. Prior to version 4.1.4, attachment passwords were hashed using SHA-1, a cryptographically broken algorithm that has been vulnerable to collision attacks since 2017 (SHAttered). This vulnerability has a CVSS score of 2.7 and was published on [cvePublishedAt]. The issue was fixed in version 4.1.4 of phpMyFAQ.

HIGH thorsten CVE published 2026-05-28

CVE-2026-35676

phpMyFAQ versions prior to 4.1.3 contain an unauthenticated password reset vulnerability in the user password update API endpoint. The vulnerability allows attackers to change account passwords without token validation by sending PUT requests to /api/index.php/user/password/update. Attackers can enumerate valid username and email pairs to force immediate password changes, resulting in account disruption a [truncated]

HIGH thorsten CVE published 2026-05-28

CVE-2026-35675

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint. The flaw allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Successful exploitation enables attackers to enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access [truncated]

HIGH thorsten CVE published 2026-05-28

CVE-2026-35672

phpMyFAQ versions prior to 4.1.3 contain an authentication bypass vulnerability in API v4.0. The root cause is a default empty value for the `api.apiClientToken` configuration parameter, which allows unauthenticated attackers to bypass token validation by sending an empty `x-pmf-token` header. Successful exploitation permits creation and modification of FAQ entries via POST endpoints including `/api/v4.0/ [truncated]

HIGH thorsten CVE published 2026-05-28

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference (IDOR) vulnerability in the admin API user password endpoint. Authenticated administrators with low privileges can change any user's password—including SuperAdmin accounts—by manipulating the userId parameter in overwrite-password API requests, enabling privilege escalation. The vulnerability was disclosed on 2026-05-28 with a CVSS 4.0 sco [truncated]

HIGH thorsten CVE published 2026-05-15

CVE-2026-46367

CVE-2026-46367 is a HIGH-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. The flaw is in Utils::parseUrl() and affects comment rendering, where malformed URLs can be turned into stored script content. Because the attacker must be authenticated but the payload is stored and later rendered to other users, the risk includes session theft and application takeover when affected FAQ pages are viewed.

HIGH thorsten CVE published 2026-05-15

CVE-2026-46366

CVE-2026-46366 describes an information disclosure issue in phpMyFAQ before 4.1.2. According to the supplied record, the getIdFromSolutionId() method does not apply permission filtering, which can let unauthenticated attackers enumerate solution IDs and reveal restricted FAQ entry titles through the /solution_id_{id}.html endpoint. The issue is confidentiality-focused, can affect restricted content, and i [truncated]

MEDIUM thorsten CVE published 2026-05-15

CVE-2026-46365

CVE-2026-46365 affects phpMyFAQ before 4.1.2 and is a missing-authorization issue in the DELETE /admin/api/content/tags/{tagId} endpoint. Any logged-in user, including non-admin frontend users, can delete tags with a valid session cookie, which can permanently disrupt FAQ organization and cause data loss.

CRITICAL thorsten CVE published 2026-05-15

CVE-2026-46364

CVE-2026-46364 is a critical unauthenticated SQL injection in phpMyFAQ before 4.1.2. The issue is triggered through the public /api/captcha flow, where malicious User-Agent values are interpolated into SQL in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(). Because the injection is reachable without authentication, exposed databases may leak sensitive information such as user credenti [truncated]

MEDIUM thorsten CVE published 2026-05-15

CVE-2026-46363

CVE-2026-46363 is a medium-severity stored cross-site scripting issue in phpMyFAQ before 4.1.2. Authenticated users with FAQ_ADD permission can inject malicious content through FAQ create/update paths, and the payload can persist until it is rendered to other users.

HIGH thorsten CVE published 2026-05-15

CVE-2026-46362

CVE-2026-46362 is a medium-severity authorization bypass affecting phpMyFAQ before 4.1.2. The issue is described as a failure in AbstractAdministrationController::userHasPermission() to stop execution after sending a forbidden response, which can let authenticated users reach permission-protected admin pages. The exposed data can include admin logs, user records, system information, and application config [truncated]

HIGH thorsten CVE published 2026-05-15

CVE-2026-46361

CVE-2026-46361 is a stored cross-site scripting vulnerability in phpMyFAQ before 4.1.2. The issue is described as unsafe rendering in search.twig, where result.question and result.answerPreview are output with the raw filter, bypassing Twig autoescape protections. An attacker with FAQ editor privileges can store HTML-entity-encoded payloads that survive the SearchController.php processing path and execute [truncated]

MEDIUM thorsten CVE published 2026-05-15

CVE-2026-46360

CVE-2026-46360 describes a stored cross-site scripting issue in phpMyFAQ’s SVG sanitization path. The sanitizer’s recursive entity decoding stops after 5 iterations, which can let deeply nested entity encodings survive filtering and reconstruct a dangerous javascript: URL. In the affected workflow, an authenticated user with FAQ_EDIT permission can upload a crafted SVG that later executes arbitrary JavaSc [truncated]

HIGH thorsten CVE published 2026-05-15

CVE-2026-46359

CVE-2026-46359 is an authenticated SQL injection issue affecting phpMyFAQ before 4.1.2. According to the published description, malicious OAuth token claims can reach CurrentUser::setTokenData unsafely, allowing attackers to break out of string literals and execute arbitrary SQL.

CRITICAL thorsten CVE published 2026-05-15

CVE-2026-45010

CVE-2026-45010 is a critical authentication-bypass issue in phpMyFAQ before 4.1.2. The /admin/check endpoint accepts arbitrary user-id parameters without tying the check to an existing session or enforcing meaningful rate limits, allowing an unauthenticated attacker to brute-force a six-digit TOTP and reach administrative access. Because the flaw defeats the intended second factor, the impact is severe ev [truncated]

MEDIUM thorsten CVE published 2026-05-15

CVE-2026-45009

CVE-2026-45009 is a medium-severity authorization weakness in phpMyFAQ before 4.1.2. The issue lets a logged-in frontend user reach admin-api routes that should be restricted to privileged administrators. As disclosed, the exposed backend data can include dashboard version details, LDAP configuration, Elasticsearch statistics, and health-check information. This is primarily an access-control failure rathe [truncated]

HIGH thorsten CVE published 2026-05-15

CVE-2026-45008

CVE-2026-45008 affects phpMyFAQ before 4.1.2. A path traversal issue in Client::deleteClientFolder can let an authenticated admin with INSTANCE_DELETE delete directories outside the intended clientFolder scope. The impact is integrity and availability loss through unintended recursive directory deletion.

MEDIUM thorsten CVE published 2026-05-15

CVE-2026-45007

CVE-2026-45007 is an access-control flaw in phpMyFAQ before 4.1.2. In ConfigurationTabController.php, 12 /admin/api/configuration endpoints used userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), so any authenticated user could query configuration metadata such as the permission model, cache backend, mail provider, and translation provider. The issue is confidentiality-only, but it we [truncated]