| CVE-2026-46367 |
high |
7.6 |
7.6 |
12d ago |
phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering |
|
| CVE-2026-45008 |
medium |
6.5 |
6.5 |
12d ago |
phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins |
|
| CVE-2026-46363 |
medium |
5.4 |
5.4 |
12d ago |
phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization |
|
| CVE-2026-46365 |
medium |
5.4 |
5.4 |
12d ago |
phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags |
|
| CVE-2026-46360 |
medium |
5.4 |
5.4 |
12d ago |
phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS |
|
| CVE-2026-45009 |
medium |
4.3 |
4.3 |
12d ago |
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check |
|
| CVE-2026-34729 |
unknown |
— |
— |
2mo ago |
phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() |
|
| CVE-2026-34728 |
unknown |
— |
— |
2mo ago |
phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController |
|
| CVE-2026-32629 |
unknown |
— |
— |
2mo ago |
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor |
|
| CVE-2026-24422 |
unknown |
— |
— |
4mo ago |
phpMyFAQ: Public API endpoints expose emails and invisible questions |
|
| CVE-2026-24421 |
unknown |
— |
— |
4mo ago |
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) |
|
| CVE-2026-24420 |
unknown |
— |
— |
4mo ago |
phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) |
|
| CVE-2023-53929 |
unknown |
— |
— |
5mo ago |
phpMyFAQ contains a CSV injection vulnerability |
|
| CVE-2025-62519 |
unknown |
— |
— |
6mo ago |
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality |
|
| CVE-2024-56199 |
unknown |
— |
— |
1y ago |
phpMyFAQ Vulnerable to Stored HTML Injection at FAQ |
|
| CVE-2024-27300 |
unknown |
— |
— |
2y ago |
phpMyFAQ stored Cross-site Scripting at user email |
|
| CVE-2024-28105 |
unknown |
— |
— |
2y ago |
phpMyFAQ's File Upload Bypass at Category Image Leads to RCE |
|
| CVE-2024-28106 |
unknown |
— |
— |
2y ago |
phpMyFAQ Stored Cross-site Scripting at FAQ News Content |
|
| CVE-2024-28107 |
unknown |
— |
— |
2y ago |
phpMyFAQ SQL injections at insertentry & saveentry |
|
| CVE-2024-28108 |
unknown |
— |
— |
2y ago |
phpMyFAQ Stored HTML Injection at contentLink |
|
| CVE-2024-29179 |
unknown |
— |
— |
2y ago |
phpMyFAQ Stored Cross-site Scripting at File Attachments |
|
| CVE-2024-27299 |
unknown |
— |
— |
2y ago |
phpMyFAQ SQL Injection at "Save News" |
|
| CVE-2024-29196 |
unknown |
— |
— |
2y ago |
phpMyFAQ Path Traversal in Attachments |
|
| CVE-2024-24574 |
unknown |
— |
— |
2y ago |
phpMyFAQ vulnerable to stored XSS on attachments filename |
|
| CVE-2024-22208 |
unknown |
— |
— |
2y ago |
phpMyFAQ sharing FAQ functionality can easily be abused for phishing purposes |
|
| CVE-2024-22202 |
unknown |
— |
— |
2y ago |
phpMyFAQ User Removal Page Allows Spoofing Of User Details |
|
| CVE-2022-3608 |
unknown |
— |
— |
4y ago |
phpMyFAQ vulnerable to Cross-site Scripting |
|