logo

Database

Business information leak In phpmyfaq/phpmyfaq

Description

phpMyFAQ: Public API endpoints expose emails and invisible questions

Summary

Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).

Details

OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.

PoC

curl -i -H 'Accept-Language: en' \
  http://192.168.40.16/phpmyfaq/api/v3.0/open-questions

Impact

Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-244222. NVD-2026-244223. OSV-2026-244224. GHSA-j4rc-96xj-gvqc5. GCVE-2026-24422

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.