CVE-2026-24422
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-24

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in phpMyFAQ version 4.0.16 and below involves multiple public API endpoints that improperly expose sensitive user information due to insufficient access controls. Specifically, the OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, which returns records marked as non-public (isVisible=false) along with user email addresses. Similar exposures occur in comment, news, and FAQ APIs. This leads to unintended disclosure of private content and user email addresses. [1]

Impact Analysis

This vulnerability can impact you by exposing sensitive user information such as email addresses and private content that was meant to be hidden. Attackers could harvest these email addresses for phishing campaigns or scrape confidential data, leading to privacy breaches and potential targeted attacks. [1]

Detection Guidance

This vulnerability can be detected by sending requests to the public API endpoints of phpMyFAQ version 4.0.16 or below, specifically the open-questions API endpoint (OpenQuestionController::list()). If the response includes non-public records (isVisible=false) and user email addresses, the system is vulnerable. A simple detection command could be a curl request like: curl -X GET https://your-phpmyfaq-domain/api/open-questions and inspecting the response for sensitive data exposure. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade phpMyFAQ to version 4.0.17 or later, where the issue has been fixed. Until the upgrade is applied, restrict access to the affected API endpoints or implement additional access controls to prevent unauthorized data exposure. [1]

Compliance Impact

This vulnerability causes improper exposure of sensitive user information, including email addresses and non-public content, which constitutes a privacy breach. Such exposure could lead to violations of data protection regulations like GDPR or HIPAA by failing to adequately protect personal data and confidential information. Attackers could exploit this to harvest emails for phishing or access private content, increasing the risk of non-compliance with privacy and data security requirements. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart