CVE-2026-24422 | THREATINT

Description

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.

PUBLISHED Reserved 2026-01-22 | Published 2026-01-24 | Updated 2026-01-26 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 4.0.17

affected

References

github.com/...pMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc

cve.org (CVE-2026-24422)

nvd.nist.gov (CVE-2026-24422)

Download JSON