CVE-2026-57995
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
phpMyFAQ before version 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.
Risk Assessment
The risk is the potential for unauthorized full administrative takeover by a limited-privilege administrator, which could compromise the confidentiality, integrity, and availability of data and the entire application.
Recommendation
Immediately upgrade phpMyFAQ to version 4.1.5 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.

