CVE-2026-24422

Exploit

EPSS 0.01%
Veröffentlicht 24.01.2026 02:02:30
Zuletzt bearbeitet 28.01.2026 18:10:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Phpmyfaq ≫ Phpmyfaq Version < 4.0.17

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.015

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-24422

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24422

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24422

EUVD