CVE-2026-46366 HIGH

CVE-2026-46366: phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypass

Vendor Thorsten

Product phpmyfaq

Weakness CWE-863 · Incorrect authorization

Published May 15, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.

Key dates

Disclosure timeline

May 15, 2026 CVE published

May 28, 2026 Record updated