CVE-2026-24420 MEDIUM

CVE-2026-24420: phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-284

Published January 24, 2026

Last update January 26, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

Key dates

02Disclosure timeline

January 24, 2026 CVE published

January 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24420 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2026-24420: phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

01Description

02Disclosure timeline

03References

04Related CVE