CVE-2026-46362 MEDIUM

CVE-2026-46362: phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check

Vendor Thorsten

Product phpmyfaq

Weakness CWE-863 · Incorrect authorization

Published May 15, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

Key dates

Disclosure timeline

May 15, 2026 CVE published

May 28, 2026 Record updated