CVE-2026-24422 MEDIUM

CVE-2026-24422: phpMyFAQ: Public API endpoints expose emails and invisible questions

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-200 · Info exposure

Published January 24, 2026

Last update January 26, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.

Key dates

02Disclosure timeline

January 24, 2026 CVE published

January 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24422

Related vulnerabilities

CVE-2026-24422: phpMyFAQ: Public API endpoints expose emails and invisible questions

01Description

02Disclosure timeline

03References

04Related CVE