CVE-2026-24422
📋 TL;DR
This vulnerability in phpMyFAQ exposes sensitive user information through multiple public API endpoints due to insufficient access controls. Attackers can harvest email addresses for phishing campaigns and access content marked as private. All users running phpMyFAQ versions 4.0.16 and below are affected.
💻 Affected Systems
- phpMyFAQ
📦 What is this software?
Phpmyfaq by Phpmyfaq
⚠️ Risk & Real-World Impact
Worst Case
Mass email harvesting leading to targeted phishing campaigns, exposure of all private FAQ content, and potential credential theft through follow-up attacks.
Likely Case
Email address collection for spam/phishing campaigns and unauthorized access to content marked as non-public.
If Mitigated
Limited exposure if API endpoints are restricted to authenticated users only or behind network controls.
🎯 Exploit Status
Simple HTTP requests to vulnerable endpoints can trigger the exposure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.17
Vendor Advisory: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc
Restart Required: No
Instructions:
1. Backup your phpMyFAQ installation and database. 2. Download version 4.0.17 from the official repository. 3. Replace all files with the new version. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict API Access
allBlock public access to vulnerable API endpoints using web server configuration or firewall rules.
# Apache: Add to .htaccess
RewriteRule ^api/.*$ - [F]
# Nginx: Add to server block
location ~ ^/api/ { deny all; }
Disable Public API
allConfigure phpMyFAQ to disable public API access entirely if not required.
# Edit configuration file to disable API endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit API endpoint exposure to trusted IPs only.
- Deploy a web application firewall (WAF) with rules to detect and block sensitive data exposure patterns.
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated requests to /api/v2.0/open-questions return email addresses or isVisible=false content.Check Version:
Check the version.php file or admin dashboard for version number.Verify Fix Applied:
Confirm that after patching, the same API endpoints no longer return email addresses or non-public content without proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to /api/v2.0/open-questions, /api/v2.0/comments, /api/v2.0/news, /api/v2.0/faq endpoints from untrusted sources.
Network Indicators:
- HTTP GET requests to API endpoints returning email addresses in response bodies.
SIEM Query:
source="web_server" AND (uri_path="/api/v2.0/open-questions" OR uri_path="/api/v2.0/comments" OR uri_path="/api/v2.0/news" OR uri_path="/api/v2.0/faq") AND status=200