Authorization Flaw in phpMyFAQ Affects Open Source Web Application

CVE-2026-24421

What is CVE-2026-24421?

phpMyFAQ is an open-source FAQ web application that contains a vulnerability in its authorization logic affecting versions 4.0.16 and below. The flaw resides in the /api/setup/backup endpoint, where authorization checks are inadequate. Specifically, the userIsAuthenticated() function only verifies if a user is authenticated but fails to confirm whether the user has the appropriate configuration or admin permissions. As a result, non-admin users can exploit this weakness to initiate a configuration backup and gain access to its path, potentially exposing sensitive configuration data. This issue has been addressed in version 4.0.17, so users are encouraged to upgrade promptly to safeguard against unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References