Thorsten/phpmyfaq

This hub aggregates every CVE we track for Thorsten/phpmyfaq, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Thorsten/phpmyfaq.

• CVE-2026-27836phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint7.5Feb 27, 2026
• CVE-2026-24422phpMyFAQ: Public API endpoints expose emails and invisible questions5.3Jan 24, 2026
• CVE-2026-24420phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)6.5Jan 24, 2026
• CVE-2026-24421phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user6.5Jan 24, 2026
• CVE-2025-69200phpMyFAQ has unauthenticated config backup download via /api/setup/backup7.5Dec 29, 2025
• CVE-2025-68951phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw5.4Dec 29, 2025
• CVE-2023-53929phpMyFAQ 3.1.12 CSV Injection via User Profile Export8.8Dec 17, 2025
• CVE-2025-62519phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality7.2Nov 17, 2025
• CVE-2025-59943phpMyFAQ duplicate email registration allows multiple accounts with the same email8.1Oct 3, 2025
• CVE-2024-56199phpMyFAQ Vulnerable to Stored HTML Injection at FAQ5.2Jan 2, 2025
• CVE-2024-55889phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames4.9Dec 13, 2024
• CVE-2024-54141phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available8.6Dec 6, 2024
• CVE-2023-6890Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq5.4Dec 16, 2023
• CVE-2023-6889Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq5.4Dec 16, 2023
• CVE-2023-5866Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq5.7Oct 31, 2023