CVE-2026-45009

phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints

CVSS 5.3 MEDIUMEPSS 0.2%CWE-863

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

15 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

thorsten · phpmyfaq

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5 https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints