phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check | Advisories

Advisories

phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check

severity: medium
date: 5/15/2026
Affecting: phpmyfaq >= 0, < 4.1.2
CVE: CVE-2026-46362
CWE: CWE-863 Incorrect Authorization
CVSS: 6.5
References: GHSA Advisory GHSA-hpgw-ww76-c68r
Credit: offset
Description: phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo