Security Advisory 2026-07-13

Multiple vulnerabilities in phpMyFAQ

Issued on:
2026-07-13
Software:
phpMyFAQ <= 4.1.5
Risk:
Critical
Platforms:
all

The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.1.5 and earlier.

Description

An authenticated administrator can supply an untrusted update-package path to the configuration API, causing phpMyFAQ to write an arbitrary PHP file to the server and thereby execute attacker-controlled code.

An attacker can exploit a path traversal in the category image deletion routine to remove arbitrary files outside the intended directory, which can leave the installation in a state that allows a setup takeover.

The two-factor authentication login flow can be completed without verifying the password factor, so an attacker who possesses only the second factor is able to authenticate as the victim.

A delegated administrator with only the GROUP_EDIT permission can assign group memberships without restriction through GroupController::updateMembers, inheriting rights they do not hold and escalating their privileges.

An authenticated user can inject SQL through an unescaped stop word inserted via StopWords::add(), allowing manipulation of the underlying database query.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 4.1.6, which fixes the vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 4.1.6.

Thanks

The phpMyFAQ team would like to thank ImDuong, geo-chen, DomainXTech, and Waseem Dayili for the responsible disclosures of these vulnerabilities.