CVE-2025-62519 HIGH

CVE-2025-62519: phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

Vendor Thorsten
Product phpMyFAQ
Weakness CWE-89 · SQLi
Published November 17, 2025
Last update November 17, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.

Key dates

02Disclosure timeline

November 17, 2025 CVE published
November 17, 2025 Record updated