CVE-2026-24420

phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

INFO

Published Date :

2026-01-24T01:57:28.369Z

Last Modified :

2026-01-26T15:01:08.459Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-24420 vulnerability.

Vendors	Products
Phpmyfaq	Phpmyfaq
Thorsten	Phpmyfaq

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24420.

URL	Resource
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact