cbcvebase.
CVE-2026-24420
published 2026-01-24

CVE-2026-24420: phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ…

PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.42%
33.7th percentile
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

Affected

4 ranges
VendorProductVersion rangeFixed in
phpmyfaqphpmyfaq< 4.0.174.0.17
phpmyfaqphpmyfaq>= 0 < 4.0.174.0.17
thorstenphpmyfaq< 4.0.174.0.17
thorstenphpmyfaq>= 0 < 4.0.174.0.17
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.