Description
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
Published: 2026-01-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in phpMyFAQ 4.0.16 and earlier, where several publicly exposed API endpoints lack proper access checks. The OpenQuestionController::list() method calls Question::getAll() with showAll=true by default, returning items marked as non-public (isVisible=false) and attaching the corresponding user email addresses. Similar weaknesses exist in comment, news, and FAQ APIs. Consequently, an unauthenticated attacker can retrieve private question data and email addresses, facilitating phishing or other social engineering attacks. The weakness aligns with CWE‑200, a data‑exposure flaw.

Affected Systems

The affected software is Thorsten’s phpMyFAQ application. Versions 4.0.16 and earlier are vulnerable; the issue was resolved in version 4.0.17. The product is distributed under the cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:* identifier.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. With an EPSS score below 1 % the current economic exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the flaw is reachable through publicly available API URLs that do not require authentication, so an attacker could automatically harvest email addresses or private content by simply invoking those endpoints. Mitigating this risk requires applying the vendor’s patch or restricting unauthenticated API access.

Generated by OpenCVE AI on April 18, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to phpMyFAQ 4.0.17 or later, which removes the insecure default behaviour.
  • Restrict access to the public API endpoints by placing them behind authentication or adjusting firewall rules, so only authorized users can query sensitive data.
  • Review and harden the application’s access‑control configuration, ensuring that non‑public data is never exposed through unprotected API calls.

Generated by OpenCVE AI on April 18, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j4rc-96xj-gvqc phpMyFAQ: Public API endpoints expose emails and invisible questions
History

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Sat, 24 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
Title phpMyFAQ: Public API endpoints expose emails and invisible questions
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T14:58:18.883Z

Reserved: 2026-01-22T18:19:49.175Z

Link: CVE-2026-24422

cve-icon Vulnrichment

Updated: 2026-01-26T14:58:03.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T03:16:01.010

Modified: 2026-01-28T18:10:23.890

Link: CVE-2026-24422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses