CVE-2026-24420 — MEDIUM (6.5)

Q: How severe is CVE-2026-24420?

CVE-2026-24420 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-24420?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyfaq Phpmyfaq.

Vulnerability Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Phpmyfaq	Phpmyfaq	< 4.0.17

Related Weaknesses (CWE)

CWE-284

References

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhvExploitVendor Advisory

FAQ

What is CVE-2026-24420?

CVE-2026-24420 is a vulnerability with a CVSS score of 6.5 (MEDIUM). phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissio...

How severe is CVE-2026-24420?

CVE-2026-24420 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-24420?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyfaq Phpmyfaq.