cbcvebase.
CVE-2026-24421
published 2026-01-24

CVE-2026-24421: phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any…

PriorityP351medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.73%
74.8th percentile
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.

Affected

6 ranges
VendorProductVersion rangeFixed in
phpmyfaqphpmyfaq< 4.0.174.0.17
phpmyfaqphpmyfaq>= 0 < 4.1.44.1.4
phpmyfaqphpmyfaq>= 0 < 4.0.174.0.17
thorstenphpmyfaq< 4.1.44.1.4
thorstenphpmyfaq>= 0 < 4.1.44.1.4
thorstenphpmyfaq>= 0 < 4.0.174.0.17

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.