Vulnerability Description
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3
- https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclo
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3
FAQ
What is CVE-2026-46366?
CVE-2026-46366 is a vulnerability with a CVSS score of 7.5 (HIGH). phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted F...
How severe is CVE-2026-46366?
CVE-2026-46366 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-46366?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.