phpMyFAQ: The FAQ That Answered Too Much (CVE-2026-24422)
Vulnerability ID: CVE-2026-24422
CVSS Score: 5.3
Published: 2026-01-23
An information disclosure vulnerability in phpMyFAQ's API allows unauthenticated attackers to harvest user email addresses and view hidden 'invisible' questions due to improper output filtering.
TL;DR
phpMyFAQ 3.x API endpoints default to over-sharing. An unauthenticated attacker can query the public API to retrieve a full dump of open questions—including those marked invisible—and the email addresses of the users who asked them. No authentication required, just a simple GET request.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200
- Attack Vector: Network (API)
- CVSS: 5.3 (Medium)
- Impact: Information Disclosure
- Privileges Required: None
- Exploit Status: Public PoC Available
Affected Systems
- phpMyFAQ 3.0
- phpMyFAQ 3.1
- phpMyFAQ 3.2
-
phpMyFAQ: >= 3.0.0, < 3.2.5 (Fixed in:
3.2.5)
Exploit Details
- GitHub Advisory: Original advisory containing the curl proof of concept.
Mitigation Strategies
- Disable the API if not in use
- Implement a Reverse Proxy to block /api/ paths for external users
- Apply vendor patches immediately
Remediation Steps:
- Upgrade phpMyFAQ to version 3.2.5 or later immediately.
- If upgrading is impossible, edit the
OpenQuestionControllerto hardcode$showAll = falsefor unauthenticated sessions. - Review access logs for requests to
/api/v3.0/open-questionsto see if data has already been exfiltrated.
References
Read the full report for CVE-2026-24422 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)