CVE-2025-69200
Published: 29 December 2025
Summary
CVE-2025-69200 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
phpMyFAQ is an open source FAQ web application affected by an information disclosure vulnerability in all versions prior to 4.0.16. The flaw allows generation of a configuration backup ZIP archive containing sensitive files such as database.php through an unauthenticated POST request to /api/setup/backup; the resulting archive is placed in a web-accessible location and can be downloaded directly.
An unauthenticated remote attacker can exploit the issue over the network with low complexity to obtain database credentials and other configuration data, enabling high-impact information disclosure and potential follow-on compromise of the application and its underlying database.
The official fix is included in phpMyFAQ 4.0.16, as noted in the project's GitHub security advisory GHSA-9cg9-4h4f-j6fg and the corresponding commit that addresses the backup endpoint exposure.
EPSS for the CVE rose from a low baseline to a peak of 0.0555 on 2026-04-27 before receding to the current value of 0.0267, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205600
Vulnerability details
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP…
more
contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.