CVE-2026-57995
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-57995, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in phpMyFAQ versions before 4.1.5 within the GroupController::updatePermissions function. It allows administrators with GROUP_EDIT privileges to escalate their rights by granting arbitrary permissions to groups without verifying if they themselves hold those rights.

A delegated administrator can exploit this flaw by assigning high-value permissions to a group they belong to, thereby inheriting those permissions and escalating their privileges up to full administrative control.

Impact Analysis

The vulnerability can lead to unauthorized privilege escalation, allowing a delegated administrator to gain full administrative control over the phpMyFAQ system.

This can result in unauthorized access to sensitive data, modification or deletion of information, and potential disruption of the system's normal operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart