CVE-2026-46362

Description

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-15 | Updated 2026-05-18 | Assigner VulnCheck

Problem types

Incorrect Authorization

Product status

Credits

offset reporter

References

github.com/...pMyFAQ/security/advisories/GHSA-hpgw-ww76-c68r (GHSA Advisory GHSA-hpgw-ww76-c68r) vendor-advisory

www.vulncheck.com/...es-via-non-terminating-permission-check (VulnCheck Advisory: phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check) third-party-advisory

cve.org (CVE-2026-46362)

nvd.nist.gov (CVE-2026-46362)

Download JSON