pkg:Packagist/thorsten/phpmyfaq

All known vulnerabilities

• CRITICAL9.8CVE-2026-46364phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
  from 0, < 4.1.2
• CRITICAL9.8CVE-2023-0789Command Injection in thorsten/phpmyfaq
  from 0, < 3.1.11
• CRITICAL9.8CVE-2023-0788Code Injection in thorsten/phpmyfaq
  from 0, < 3.1.11
• CRITICAL9.8phpMyFAQ Improper Authentication vulnerability
  from 0, < 3.1.10
• CRITICAL9.8phpMyFAQ contains Weak Password Requirements
  from 0, < 3.1.8
• CRITICAL9.1phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id
  from 0, < 4.1.2
• CRITICAL9.1phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.18
• CRITICAL9.0phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.18
• HIGH8.9thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) in FAQ comment username parameter
  from 0, < 3.1.12
• HIGH8.8phpMyFAQ: IDOR Account Takeover
  from 0, < 4.1.3
• HIGH8.8phpMyFAQ contains a CSV injection vulnerability
  from 0, <= 3.1.12
• HIGH8.8phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.16
• HIGH8.8phpMyFAQ Improper Neutralization of Formula Elements in a CSV File vulnerability
  from 0, < 3.1.16
• HIGH8.8thorsten/phpmyfaq vulnerable privilege escalation from improper privilege management
  from 0, < 3.1.12
• HIGH8.8Uncaught Exception in thorsten/phpmyfaq
  from 0, < 3.1.11
• HIGH8.8Weak Password Requirements in thorsten/phpmyfaq
  from 0, < 3.1.11
• HIGH8.8phpMyFAQ CSRF
  from 0, < 2.9.11
• HIGH8.6phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
  from 0, < 4.0.0
• HIGH8.4phpMyFAQ vulnerable to Cross-site Scripting
  from 0, < 3.2.0-alpha
• HIGH8.3phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.18
• HIGH8.3thorsten/phpmyfaq vulnerable to business logic errors
  from 0, < 3.1.12
• HIGH8.3thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via artlang parameter
  from 0, < 3.1.12
• HIGH8.3thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via adminlog
  from 0, < 3.1.12
• HIGH8.2phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration
  from 0, < 4.1.3
• HIGH8.2phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation
  from 0, < 4.1.3
• HIGH8.2Cross Site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.13
• HIGH8.1phpMyFAQ duplicate email registration allows multiple accounts with the same email
  >= 4.0.7, < 4.0.13
• HIGH8.1thorsten/phpmyfaq vulnerable to DOM cross-site scripting (XSS) via configuration privacy note URL parameter
  from 0, < 3.1.12
• HIGH8.1thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via FAQ News link parameter
  from 0, < 3.1.12
• HIGH7.6Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
  from 0, < 4.1.2
• HIGH7.6Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
  >= 4.1.1, < 4.1.2
• HIGH7.6Insufficient Session Expiration in thorsten/phpmyfaq
  from 0, < 3.2.2
• HIGH7.5phpMyFAQ: Default Empty API Token Authentication Bypass
  from 0, < 4.1.3
• HIGH7.5phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
  from 0, < 4.1.2
• HIGH7.5phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
  from 0, < 4.1.2
• HIGH7.5phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint
  from 0, < 4.0.18
• HIGH7.5phpMyFAQ has unauthenticated config backup download via /api/setup/backup
  from 0, < 4.0.16
• HIGH7.5phpMyFAQ has insecure HTTP cookies
  from 0, < 3.1.9
• HIGH7.4phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.2.1
• HIGH7.3thorsten/phpmyfaq vulnerable to authentication bypass
  from 0, < 3.1.12
• HIGH7.2phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
  from 0, < 4.0.14
• MEDIUM6.9phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering
  from 0, < 4.1.2
• MEDIUM6.7thorsten/phpmyfaq vulnerable to cross-site scripting
  from 0, < 3.1.14
• MEDIUM6.6phpMyFAQ Improper Access Control vulnerability
  from 0, < 3.1.13
• MEDIUM6.5Duplicate Advisory: phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
  from 0, < 4.1.2
• MEDIUM6.5phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check
  from 0, < 4.1.2
• MEDIUM6.5phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
  from 0, < 4.0.17
• MEDIUM6.5phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
  from 0, < 4.0.17
• MEDIUM6.5phpMyFAQ allows unrestricted file types in image field
  from 0, < 3.1.18
• MEDIUM6.3Sensitive cookie in HTTPS session without 'Secure' attribute in thorsten/phpmyfaq
  from 0, < 3.2.1
• MEDIUM6.3phpMyFaq Cross-site Scripting vulnerability
  from 0, < 3.1.18
• MEDIUM6.3thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via category field name parameter
  from 0, < 3.1.12
• MEDIUM6.1phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.2.2
• MEDIUM6.1Cross Site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.13
• MEDIUM6.1phpMyFAQ vulnerable to Stored Cross-site Scripting
  from 0, < 3.1.13
• MEDIUM6.1thorsten/phpmyfaq is vulnerable to cross-site scripting (XSS)
  from 0, < 3.1.10
• MEDIUM6.1phpMyFAQ Reflected Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM6.1phpMyFAQ vulnerable to Cross-site Scripting
  from 0, < 3.1.9
• MEDIUM6.1phpMyFAQ vulnerable to reflected Cross-site Scripting
  from 0, < 3.1.8
• MEDIUM6.0thorsten/phpmyfaq vulnerable to cross-site scripting
  from 0, < 3.1.14
• MEDIUM5.5phpMyFAQ has weak password requirements
  from 0, < 3.1.12
• MEDIUM5.4Duplicate Advisory: phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization
  from 0, < 4.1.2
• MEDIUM5.4Duplicate Advisory: phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS
  from 0, < 4.1.2
• MEDIUM5.4phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation
  from 0, < 4.1.1
• MEDIUM5.4phpMyFAQ has Stored XSS in user list via admin-managed display_name
  >= 4.0.14, < 4.0.16
• MEDIUM5.4phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.17
• MEDIUM5.4phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.17
• MEDIUM5.4Cross-site Scripting (XSS) in thorsten/phpmyfaq
  from 0, < 3.2.2
• MEDIUM5.4phpMyFAQ vulnerable to stored Cross-site Scripting
  from 0, < 3.2.0-beta
• MEDIUM5.4phpMyFAQ vulnerable to stored Cross-site Scripting
  from 0, < 3.2.0-beta
• MEDIUM5.4Cross-site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.12
• MEDIUM5.4thorsten/phpmyfaq vulnerable to improper access control
  from 0, < 3.1.12
• MEDIUM5.4phpMyFAQ Cross-site Scripting vulnerability
  from 0, < 3.1.12
• MEDIUM5.4phpMyFAQ Code Injection vulnerability
  from 0, < 3.1.12
• MEDIUM5.4Cross-site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.11
• MEDIUM5.4Cross-site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.11
• MEDIUM5.4Code Injection in thorsten/phpmyfaq
  from 0, < 3.1.11
• MEDIUM5.4Cross-site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.11
• MEDIUM5.4phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM5.4phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM5.4phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM5.4phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM5.4phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.10
• MEDIUM5.4phpMyFAQ vulnerable to Cross-site Scripting
  from 0, < 3.1.9
• MEDIUM5.4phpMyFAQ vulnerable to stored Cross-site Scripting
  from 0, < 3.1.8
• MEDIUM5.3phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure
  from 0, < 4.1.1
• MEDIUM5.3phpMyFAQ: Public API endpoints expose emails and invisible questions
  from 0, < 4.0.17
• MEDIUM5.2phpMyFAQ Vulnerable to Stored HTML Injection at FAQ
  >= 3.2.10, <= 4.0.1
• MEDIUM5.2phpMyFAQ Cross-site Scripting
  from 0, < 3.2.0-beta.2
• MEDIUM4.9thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames
  from 0, < 3.2.10
• MEDIUM4.8phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.12
• MEDIUM4.8phpMyFAQ Stored Cross-site Scripting vulnerability
  from 0, < 3.1.12
• MEDIUM4.8Cross-site Scripting in thorsten/phpmyfaq
  from 0, < 3.1.11
• MEDIUM4.7thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via HTML export
  from 0, < 3.1.12
• MEDIUM4.7thorsten/phpmyfaq vulnerable to cross-site scripting (XSS) via stopword parameter
  from 0, < 3.1.12
• MEDIUM4.7thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter
  from 0, < 3.1.12
• MEDIUM4.7phpMyFAQ vulnerable to improper input validation
  from 0, < 3.1.12
• MEDIUM4.3phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ
  >= 4.1.1, < 4.1.2
• MEDIUM4.3phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User
  from 0, < 4.1.2
• MEDIUM4.3Misinterpretation of Input in thorsten/phpmyfaq
  from 0, < 3.1.11