Home

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

PUBLISHED Reserved 2026-01-22 | Published 2026-01-24 | Updated 2026-01-26 | Assigner GitHub_M




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

< 4.0.17
affected

References

github.com/...pMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv

cve.org (CVE-2026-24420)

nvd.nist.gov (CVE-2026-24420)

Download JSON