|
4121
|
4.3 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login statu…
|
CWE-863
Incorrect Authorization
|
CVE-2026-45009
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4122
|
9.1 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bind…
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-45010
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4123
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attac…
|
CWE-89
SQL Injection
|
CVE-2026-46359
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4124
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san…
|
CWE-79
Cross-site Scripting
|
CVE-2026-46360
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4125
|
6.9 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…
|
CWE-79
Cross-site Scripting
|
CVE-2026-46361
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4126
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Att…
|
CWE-863
Incorrect Authorization
|
CVE-2026-46362
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4127
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent…
|
CWE-79
Cross-site Scripting
|
CVE-2026-46363
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4128
|
9.8 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…
|
CWE-89
SQL Injection
|
CVE-2026-46364
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4129
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl…
|
CWE-862
Missing Authorization
|
CVE-2026-46365
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4130
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted …
|
CWE-863
Incorrect Authorization
|
CVE-2026-46366
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
