ByteOS Network

NVD Vulnerability Details :

CVE-2026-45009

Received

Source-disclosure@vulncheck.com

Published At-15 May, 2026 | 19:17

Updated At-15 May, 2026 | 21:16

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-863	Secondary	disclosure@vulncheck.com

CWE ID: CWE-863

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints	disclosure@vulncheck.com	N/A
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A