SQL Injection Vulnerability in phpMyFAQ Prior to Version 4.0.14
CVE-2025-62519

7.2HIGH

Key Information:

Vendor: Thorsten
Status: pHPMyFAQ
Vendor: CVE Published:; 17 November 2025

What is CVE-2025-62519?

An authenticated SQL injection vulnerability exists in phpMyFAQ prior to version 4.0.14, particularly in the configuration update feature. This flaw allows users with 'Configuration Edit' permissions to execute arbitrary SQL commands. If exploited, attackers could gain complete control over the database, including the capability to read, modify, or delete data. The implications of this vulnerability may extend to remote code execution, depending on the database setup. The issue has been addressed in version 4.0.14, making it essential for users to upgrade to this release to mitigate risks.

Affected Version(s)

phpMyFAQ < 4.0.14

References

https://github.com/thorsten/phpMyFAQ/security/advisories/...

x_refsource_CONFIRM

https://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2025
Vulnerability Reserved
Oct 15, 2025

JSON

Thorsten

What is CVE-2025-62519?

Affected Version(s)

References

CVSS V3.1

Timeline