Cyber Resilience

CVE-2025-69200

HighPublic PoC

Published: 29 December 2025

Published
29 December 2025
Modified
07 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0267 86.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69200 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

phpMyFAQ is an open source FAQ web application affected by an information disclosure vulnerability in all versions prior to 4.0.16. The flaw allows generation of a configuration backup ZIP archive containing sensitive files such as database.php through an unauthenticated POST request to /api/setup/backup; the resulting archive is placed in a web-accessible location and can be downloaded directly.

An unauthenticated remote attacker can exploit the issue over the network with low complexity to obtain database credentials and other configuration data, enabling high-impact information disclosure and potential follow-on compromise of the application and its underlying database.

The official fix is included in phpMyFAQ 4.0.16, as noted in the project's GitHub security advisory GHSA-9cg9-4h4f-j6fg and the corresponding commit that addresses the backup endpoint exposure.

EPSS for the CVE rose from a low baseline to a peak of 0.0555 on 2026-04-27 before receding to the current value of 0.0267, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP…

more

contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpmyfaq
phpmyfaq
4.1.0 · ≤ 4.0.16

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References