{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24420", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.175Z", "datePublished": "2026-01-24T01:57:28.369Z", "dateUpdated": "2026-01-26T15:01:08.459Z"}, "containers": {"cna": {"title": "phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.0.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:57:28.369Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version"}], "source": {"advisory": "GHSA-7p9h-m7m8-vhhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:00:41.521304Z", "id": "CVE-2026-24420", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:01:08.459Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24420", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.175Z", "datePublished": "2026-01-24T01:57:28.369Z", "dateUpdated": "2026-01-26T15:01:08.459Z"}, "containers": {"cna": {"title": "phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 4.0.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:57:28.369Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version"}], "source": {"advisory": "GHSA-7p9h-m7m8-vhhv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24420", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:00:41.521304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:00:59.337Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A48918B-2C09-403F-A8A5-8179AE32363E", "versionEndExcluding": "4.0.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version"}], "id": "CVE-2026-24420", "lastModified": "2026-01-28T18:25:46.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-24T03:16:00.760", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:56:44.846281+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest phpMyFAQ release that contains the permission\u2011check fix; apply the update immediately.", "If an upgrade is not possible, restrict web\u2011server access to the attachment directory so that only authenticated users with the dlattachment permission can reach it\u2014use server\u2011side ACLs or deny rules to block the download endpoint for unauthorized users.", "Review and harden all permission checks in phpMyFAQ, ensuring that each user\u2011controlled request parameter is validated against the correct authorization rules and that no other broken access control gaps remain."], "summary": {"action": "Patch", "impact": "Unauthorized attachment download (Broken Access Control)"}, "threat_synthesis": {"affected_systems": "The affected product is phpMyFAQ, developed by thorsten. The critical versions are 4.0.16 and below; newer releases contain a fix that has been applied. The fix is not yet listed with a specific version in the advisory, so administrators should consult the latest releases on the project\u2019s GitHub page for the corrected code.", "description_and_impact": "phpMyFAQ is an open\u2011source FAQ web application. In versions 4.0.16 and earlier, the code that serves attachment downloads performs a permission check that merely verifies the existence of a rights key rather than confirming that the user possesses the dlattachment privilege. Additionally, the logic that evaluates group and user permissions contains a flawed conditional expression. These issues allow an authenticated user who does not have the required dlattachment right to download any FAQ attachment files, exposing potentially confidential information to insiders or malicious insiders. The vulnerability is a classic example of broken access control (CWE\u2011284).", "risk_and_exploitability": "The CVSS v3.1 score is 6.5, indicating moderate severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation in the short term, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, because the flaw only requires the attacker to be authenticated, an internal user or an attacker who has compromised credentials could immediately download documents. The vulnerability does not grant arbitrary code execution or elevate privileges beyond the authenticated session; it simply bypasses a file\u2011download permission check."}}}}, "created": "2026-01-26T11:48:54.335155+00:00", "updated": "2026-04-18T03:00:10.332216+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}