GHSA-wm8h-26fv-mg7g

Source

https://github.com/advisories/GHSA-wm8h-26fv-mg7g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-wm8h-26fv-mg7g/GHSA-wm8h-26fv-mg7g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wm8h-26fv-mg7g

Aliases

CVE-2026-24421

Published

2026-01-23T20:17:25Z

Modified

2026-02-03T03:07:09.717553Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Details

Summary

Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.

Details

SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.

PoC

Precondition: API enabled, any authenticated non‑admin user. - Log in as a non‑admin user. - Call backup endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  -X POST --data '4.0.16' \
  http://192.168.40.16/phpmyfaq/api/setup/backup

Impact

Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

Database specific

{
    "nvd_published_at": "2026-01-24T02:15:49Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-862"
    ],
    "github_reviewed_at": "2026-01-23T20:17:25Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

Packagist / phpmyfaq/phpmyfaq

Package

Name: phpmyfaq/phpmyfaq
Purl: pkg:composer/phpmyfaq/phpmyfaq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.17

Affected versions

2.*

2.8.0-alpha2

2.8.0-alpha3

2.8.0-beta

2.8.0-beta2

2.8.0-beta3

2.8.0-RC

2.8.0-RC2

2.8.0-RC3

2.8.0-RC4

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16

2.8.17

2.8.18

2.8.19

2.8.20

2.8.21

2.8.22

2.8.23

2.8.24

2.8.25

2.8.26

2.8.27

2.8.28

2.8.29

2.9.0-alpha

2.9.0-alpha2

2.9.0-alpha3

2.9.0-alpha4

2.9.0-beta

2.9.0-beta2

2.9.0-rc

2.9.0-rc2

2.9.0-rc3

2.9.0-rc4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.10.0-alpha

3.*

3.0.0-alpha

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-beta

3.0.0-beta.2

3.0.0-beta.3

3.0.0-RC

3.0.0-RC.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0-alpha

3.1.0-alpha.2

3.1.0-alpha.3

3.1.0-beta

3.1.0-RC

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0-alpha

3.2.0-beta

3.2.0-beta.2

3.2.0-RC

3.2.0-RC.2

3.2.0-RC.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

4.*

4.0.0-alpha

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta

4.0.0-beta.2

4.0.0-RC

4.0.0-RC.2

4.0.0-RC.3

4.0.0-RC.4

4.0.0-RC.5

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

Database specific

last_known_affected_version_range

"<= 4.0.16"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-wm8h-26fv-mg7g/GHSA-wm8h-26fv-mg7g.json"

Packagist / thorsten/phpmyfaq