GHSA-5h62-f8fg-4w7q

Source

https://github.com/advisories/GHSA-5h62-f8fg-4w7q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5h62-f8fg-4w7q/GHSA-5h62-f8fg-4w7q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5h62-f8fg-4w7q

Aliases

CVE-2026-46365

Published

2026-05-15T21:31:32Z

Modified

2026-05-21T21:30:22.607769992Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags

Details

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid session cookie, resulting in permanent data loss and disruption of FAQ organization.

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:17:33Z",
    "nvd_published_at": "2026-05-15T19:17:03Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / phpMyFAQ/phpMyFAQ

Package

Name: phpMyFAQ/phpMyFAQ
Purl: pkg:composer/phpMyFAQ%2FphpMyFAQ

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5h62-f8fg-4w7q/GHSA-5h62-f8fg-4w7q.json"

Packagist / thorsten/phpMyFAQ

Package

Name: thorsten/phpMyFAQ
Purl: pkg:composer/thorsten%2FphpMyFAQ

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5h62-f8fg-4w7q/GHSA-5h62-f8fg-4w7q.json"