Security Advisory 2026-06-14

Multiple vulnerabilities in phpMyFAQ

Issued on:

2026-06-14

Software:

phpMyFAQ <= 4.1.4

Risk:

High

Platforms:

all

The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.1.4 and earlier.

Description

An authenticated FAQ editor can embed a crafted image reference (e.g. ../../) in a FAQ entry to make the PDF export read arbitrary files outside the content directory and disclose them in the document.

An unauthenticated user can query the public FAQ APIs directly to retrieve inactive content — drafts, unpublished revisions, and entries awaiting approval — that was never meant to be public.

A delegated administrator with only the GROUP_EDIT permission can grant a group rights they do not hold and inherit them as a member, escalating up to full administrative control, because the group-rights endpoint (GroupController::updatePermissions) lacks the constraint applied to the user-rights endpoint (UserController::updateUserRights).

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 4.1.5, which fixes the vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 4.1.5.

Thanks

The phpMyFAQ team would like to thank Yanchon918s, YHalo-wyh, and DomainXTech for the responsible disclosures of these vulnerabilities.