CVE-2026-57994
Received Received - Intake

phpMyFAQ Information Disclosure via Inconsistent API Filtering

Vulnerability report for CVE-2026-57994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive (draft or review-only) FAQ content. Specifically, GET /api/v3.1/faq/{categoryId}/{faqId} returns the inactive FAQ title and full answer, while GET /api/v3.1/faqs/tags/{tagId} and GET /api/v4.0/faqs/tags/{tagId} return the inactive FAQ title and answer preview, disclosing non-public content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
phpmyfaq phpmyfaq From 4.1.0 (inc) to 4.1.4 (inc)
phpmyfaq phpmyfaq 4.1.5
phpmyfaq phpmyfaq 4.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to access inactive FAQ content that is intended to be non-public, such as draft or review-only entries. While the exposed information is limited to FAQ titles and answers, the disclosure of non-public content could potentially lead to compliance issues if the content includes sensitive or regulated information.

However, the provided information does not specify whether the inactive FAQ content contains personal data or sensitive health information that would directly impact compliance with regulations like GDPR or HIPAA.

Therefore, the effect on compliance depends on the nature of the inactive FAQ content stored in phpMyFAQ. If such content includes regulated personal or health data, unauthorized disclosure could violate confidentiality and data protection requirements under these standards.

Executive Summary

This vulnerability in phpMyFAQ versions before 4.1.5 is caused by inconsistent filtering of inactive FAQ content across its public API endpoints.

Unauthenticated attackers can exploit this flaw to retrieve inactive FAQ entries, such as drafts or review-only content, which should normally be hidden.

Specifically, certain API endpoints like GET /api/v3.1/faq/{categoryId}/{faqId} return the inactive FAQ title and full answer, while others like GET /api/v3.1/faqs/tags/{tagId} and GET /api/v4.0/faqs/tags/{tagId} return the inactive FAQ title and an answer preview.

The root cause is inconsistent application of active status and publication date filtering across different API controllers.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of non-public FAQ content, including drafts or review-only entries.

Attackers do not need to authenticate to access this inactive content, which could reveal sensitive or internal information that was not intended for public view.

While the impact is limited to confidentiality (no integrity or availability impact), it may expose internal knowledge or planned changes prematurely.

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP GET requests to the vulnerable phpMyFAQ API endpoints and checking if inactive FAQ content is returned.

  • Send a GET request to /api/v3.1/faq/{categoryId}/{faqId} and verify if inactive FAQ titles and full answers are returned.
  • Send a GET request to /api/v3.1/faqs/tags/{tagId} and check if inactive FAQ titles and answer previews are disclosed.
  • Send a GET request to /api/v4.0/faqs/tags/{tagId} and verify if inactive FAQ titles and answer previews are returned.

These requests can be performed using command line tools like curl, for example: curl -X GET "http://your-phpmyfaq-domain/api/v3.1/faq/1/1"

Mitigation Strategies

The immediate mitigation step is to upgrade phpMyFAQ to version 4.1.5 or later, where the inconsistent filtering of inactive FAQ content has been fixed.

Until an upgrade can be performed, restrict access to the vulnerable API endpoints to trusted users or networks to prevent unauthenticated access.

Additionally, review and apply consistent active status and publication date filtering across all public API routes if custom patches or configurations are possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart