CVE Catalog

CVE-2026-56396

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.

Risk Assessment

Privilege escalation by unauthorized users can lead to serious security breaches, including unauthorized access to sensitive data and administrative functions. Organizations should be aware of the risks associated with improper permission management.

Recommendation

It is recommended to update phpMyFAQ to version 4.1.4 or later to mitigate these authorization vulnerabilities. Additionally, a user permission audit should be conducted to ensure that only authorized administrators have access to critical functions.

Original NVD description (English source)

phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS