logo

Database

Improper authorization control for web services In phpmyfaq/phpmyfaq

Description

phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid session cookie, resulting in permanent data loss and disruption of FAQ organization.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-463652. NVD-2026-463653. OSV-2026-463654. GHSA-7cx3-2qx2-3g6w5. GCVE-2026-46365

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7cx3-2qx2-3g6w2. https://www.vulncheck.com/advisories/phpmyfaq-missing-authorization-in-tag-deletion-endpoint

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.